Skip Navigation
Expand
Troubleshooting Pass-Through Authentication (PTA)
Answer ID 1978   |   Last Review Date 11/15/2022

Why is an end-user who is logged in with Pass-Through Authentication (PTA) ending up back at my login page whenever they try to view the knowledge base?

Environment:

Pass-Through Authentication (PTA)

Resolution:

Pass-Through Authentication (PTA) is designed to be a transparent login integration between the Oracle end-user pages and the site from which the end-user is accessing your Oracle B2C Service site (such as another login portal).  

If PTA fails to validate the user’s login information, no error is thrown. The Oracle B2C Service application simply redirects the user to the value stored in the PTA_EXTERNAL_LOGIN_URL configuration setting.

To determine why the PTA URL failed to properly validate the end-user and login the user into the knowledge base, use the steps below:

  1. Locate the PTA URL for the end-user who is having problems.  Many times you can find this by right clicking on the link in which the end-user would click on to view the knowledge base and selecting copy shortcut or copy link. 
     
  2. Find and remove the p_li parameter from the URL and grab the PTA string.  This will generally be all the data in the URL after you see ‘p_li=’ 
     
  3. Paste the PTA string into a base64 decoder and decode the string. (Note: Further character replacement may be necessary, as indicated in Answer ID 12390:  PTA string sometimes not creating new contact. Further, this will only work with a non-encrypted string. If using an encrypted string, a decrypting tool must be used instead.)
     
  4. Now that you can see what information the PTA string contains, review the following items for the issue occurring with your site.


Item 1: Is the user name and password correct for the contact record stored in the Oracle B2C Service database?

  1. Login into the administrative console and locate the contact record based on the email address found in the PTA string above.
     
  2. Compare the login to the p_userid value. These values must match (case-sensitive) in order for PTA to properly validate the user.
     
  3. If the p_passwd parameter is passed (only required if the PTA_IGNORE_CONTACT_PASSWORD configuration is set to 0 (disabled)), it must match the contact's password value.
     
  4. If these values do not match please update and save the contact record. (Note: The password field cannot be added within the contact workspace.  See Answer ID 2718: Contact Password Encryption in February 2009 for more information.  Customers using pass-through authentication (PTA) will need to use the Data Import Wizard if updates to contact passwords are needed.)


Item 2: Does the p_li_passwd parameter appear in the PTA string?

If encryption isn't used the p_li_passwd parameter is required. The value passed in the p_li_passwd parameter must match the value stored in the PTA_SECRET_KEY configuration setting.

Login into the administrative console and locate the PTA_SECRET_KEY.

Path to setting(s): Select Configuration from the navigation area > Site Configuration > Configuration Settings > and search by Key.


Item 3: Does the p_li_expiry parameter appear in the PTA string?

The value passed in the p_li_expiry parameter causes the PTA string to become invalid at the date and time specified in the UNIX timestamp value. NOTE: The value for this parameter needs to be in UNIX time.

To investigate this:

  1. Convert the UNIX timestamp to conventional date and time. 
     
  2. Make sure this is set to a time that is in the future from the point in time the login attempt is made.  If the parameter is set in the past, the PTA string immediately becomes invalid.
Note that the p_email.addr (contact email address) parameter is not used for authentication. This parameter is required to create and authenticate (in the same request) a contact record through PTA.

Available Languages for this Answer:

Notify Me
The page will refresh upon submission. Any pending input will be lost.