Troubleshooting

The information below contains fixes for discovered issues.

 

Third Party Cookies

NYC.ID requires the use of cookies for the proper functioning of Gigya's Web SDK. Because Gigya's scripts are loaded directly from Gigya's servers, they generate cookies that are considered third-party due to the origination domain belonging to Gigya. On some browsers and devices, this causes issues when third-party cookies have been disabled. To learn how to enable third-party cookies, click the link for your Web browser:

 

Accessing NON-PRD

If you are unable to connect to the Non-Production Environment from your Web browser on Citynet, please verify that your LAN Settings and Proxy server configuration are correct. After verifying your configuration, if you are still unable to connect, open a ticket with the CityWide Service Desk.

 

Debug SAML Requests and Responses

Install the SAML-tracer Firefox add-on or SAML Chrome Panel to view SAML messages sent through the browser during single sign-on and single logout.

  • Verify that the value of the X509Certificate element in your application's SAML request to the IdP matches the X.509 Certificate in the NYC.ID Console.

 

Wallet is Not Open

If a Web Service returns the following error:

{"cpui.exception":"ORA-28365: wallet is not open\n"}

Open a ticket with the CityWide Service Desk.

  1. If you have access to Cityshare, open the ticket through My Desk.
  2. If you don't have access to Cityshare, and therefore My Desk, call the Citywide Service Desk.

Include the following information in the ticket:

  1. Team/Unit That the Request Should be Assigned to: Portal Support
  2. Request Type: NYC.ID wallet is not open
  3. Environment: Non Production (NON-PRD), or Production (PRD)

 

Web Service Authentication Failed

If a Web Service returns the error below, your application is calculating an incorrect authentication signature.

{"cpui.failedToAuthenticate":"The combination of userName and signature is incorrect."}
Your application may be generating an incorrect signature because your application is using an incorrect:

NYC.ID Service Account Password

First, check that you have a NYC.ID Service Account for the NYC.ID environment you are working with. Once you have confirmed you have a NYC.ID Service Account, then ensure your password:

  1. is associated with the correct environment,
  2. is exactly 64 characters, and
  3. leading and trailing spaces are trimmed from the password when calculating the authentication signature.

Incorrect StringToSign

If Prevent Replay Attacks is enabled for your NYC.ID Service Account, you must include the "dateTime" parameter in your StringToSign.

Incorrect HMAC Algorithm

Ensure your application is using the correct HMAC algorithm. Signature algorithms are included in the Web Services page (e.g., Signature Algorithm – Java).

Incorrect Character Encoding

If your application stores its password in an Oracle database:

  1. the data type must be NVARCHAR2 and
  2. the connection pool property, oracle.jdbc.defaultNChar, must be true.

Incorrect Storage of Password

If your application stores its NYC.ID Service Account password in a property file, ensure your application is not silently dropping backslashes or other special characters before generating the authentication signature. If this is encountered, request a new NYC.ID Service Account password.

 

SAML 2.0 Single Logout Not Working

During SAML 2.0 Single Logout, if your application does not log the user out of all applications he or she is logged into, your Service Provider (SP) metadata may be incorrect or your application may be misconfigured. Learn about Generating Service Provider Metadata.

Spring Security

When responding to a SAML 2.0 Single Logout, your application may not log out the user. To resolve this issue:

  1. Verify that your application responds with a "StatusMessage" equal to "The SessionIndex was not found" and does not destory the user's session (i.e., The user is not logged out.).
  2. Create a custom class that extends org.springframework.security.saml.websso.SingleLogoutProfileImpl.
  3. Override the processLogoutRequest method. Include all lines of code in the parent method and the equalsNameID and differ methods from the parent class (since they are private within it). Within the equalsNameId method, comment equals = equals && !differ(a.getFormat(), b.getFormat());
  4. Within your application's security context, replace the class of this bean with the custom class created above.

    <bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
  5. Build and redeploy your application.
! IMPORTANT: This workaround is temporary. Gigya has confirmed this to be a defect.

 

Expired SAML Assertion

During login, if your application displays the error message "The SAML assertion is outside the valid time period," verify that the date and time of the operating system running the Service Provider (SP) is correct.

 

SHA-256 SAML Assertions

Follow these steps to configure your application to accept SHA-256 SAML Assertions.

Spring Security

  1. Add this Java class to your application.

    import org.opensaml.Configuration;
    import org.opensaml.xml.security.BasicSecurityConfiguration;
    import org.opensaml.xml.signature.SignatureConstants;
    import org.springframework.beans.factory.InitializingBean;
    
    public class SAMLConfigurationBean implements InitializingBean {
    
        @Override
        public void afterPropertiesSet() {
            BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
            config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
            config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
        }
    }
    
  2. Add this Spring bean to your configuration.

    <bean class="SAMLConfigurationBean"/>

ComponentSpace

The following configuration is recommended:

  • Windows 2012 R2 (or newer)
  • Application is using .NET Framework 4.0 (or newer)

The following configuration is not recommended, but may work:

  • Windows 2008 R2 (or newer) with all patches applied
  • Application is using .NET Framework 3.5
  • .NET Framework 4.6.2 (or newer) is installed