Troubleshooting

Symptom	Possible Causes
oidc-config.yaml not found	The file is not on the runtime classpath while application.isSSOEnabled=true.
Invalid issuer	Token iss does not exactly matchoidc.issuer.
Invalid audience	Token aud does not contain the expected client/audience.
PASService returns 401	Basic credentials failed password grant, token validation failed, or token roles do not match web.xml.
CycleServicereturns unauthorized	Token is invalid or expired, user does not exist in OIPA, user has no security group, or user lacksSubmitTask / CycleService authorization.
OIPA login succeeds at IdP but fails locally	Mapped clientNumber claim is missing, user is inactive, no security group is assigned, or configured company/security group GUIDs are invalid.
SCIM sync creates no users	SSO is disabled, scimUri is missing, client credentials grant is disabled, SCIM response does not contain Resources, or SCIM groups do not match OIPA security group names.

Symptom

Possible Causes

oidc-config.yaml not found

The file is not on the runtime classpath while application.isSSOEnabled=true.

Invalid issuer

Token iss does not exactly matchoidc.issuer.

Invalid audience

Token aud does not contain the expected client/audience.

PASService returns 401

Basic credentials failed password grant, token validation failed, or token roles do not match web.xml.

CycleServicereturns unauthorized

Token is invalid or expired, user does not exist in OIPA, user has no security group, or user lacksSubmitTask / CycleService authorization.

OIPA login succeeds at IdP but fails locally

Mapped clientNumber claim is missing, user is inactive, no security group is assigned, or configured company/security group GUIDs are invalid.

SCIM sync creates no users

SSO is disabled, scimUri is missing, client credentials grant is disabled, SCIM response does not contain Resources, or SCIM groups do not match OIPA security group names.