Why is an end-user who is logged in with Pass-Through Authentication (PTA) ending up back at my login page whenever they try to view the knowledge base?
Pass-Through Authentication (PTA)
Pass-Through Authentication (PTA) is designed to be a transparent login integration between the Oracle end-user pages and the site from which the end-user is accessing your Oracle Service Cloud site (such as another login portal).
If PTA fails to validate the user’s login information, no error is thrown. The Oracle Service Cloud application simply redirects the user to the value stored in the PTA_EXTERNAL_LOGIN_URL configuration setting.
To determine why the PTA URL failed to properly validate the end-user and login the user into the knowledge base, use the steps below:
- Locate the PTA URL for the end-user who is having problems. Many times you can find this by right clicking on the link in which the end-user would click on to view the knowledge base and selecting copy shortcut or copy link.
- Find and remove the p_li parameter from the URL and grab the PTA string. This will generally be all the data in the URL after you see ‘p_li=’
- Paste the PTA string into a base64 decoder and decode the string. (Note: This will only work with a non-encrypted string. If using an encrypted string, a decrypting tool must be used instead.)
- Now that you can see what information the PTA string contains, review the following items for the issue occuring with your site.
Item 1: Is the user name and password correct for the contact record stored in the Oracle Service Cloud database?
- Login into the administrative console and locate the contact record based on the email address found in the PTA string above.
- Compare the login to the p_userid value. These values must match (case-sensitive) in order for PTA to properly validate the user.
- If these values do not match please update and save the contact record.
The password field cannot be added within the contact workspace. See Answer ID 2718: Contact Password Encryption in February 2009 for more information. Customers using pass-through authentication (PTA) will need to use the Data Import Wizard if updates to contact passwords are needed.
Item 2: Does the p_li_passwd parameter appear in the PTA string?
The value passed in the p_li_passwd parameter must match the value stored in the PTA_SECRET_KEY configuration setting.
Login into the administrative console and locate the PTA_SECRET_KEY.
Path to setting(s): Select Configuration from the navigation area > Site Configuration > Configuration Settings > and search by Key.
Item 3: Does the p_li_expiry parameter appear in the PTA string?
The value passed in the p_li_expiry parameter causes the PTA string to become invalid at the date and time specified in the UNIX timestamp value. NOTE: The value for this parameter needs to be in UNIX time.
To investigate this:
- Convert the UNIX timestamp to conventional date and time.
- Make sure this is set to a time that is in the future from the point in time the login attempt is made. If the parameter is set in the past, the PTA string immediately becomes invalid.