Troubleshooting Web Application Issues

For issues with private web applications (pages not loading, content not rendering), the PRA workload logs will show proxying activity and errors. Look for entries related to the web application's private URL.

Browser developer tools can also help diagnose rendering issues:

  • HAR file: Captures all network requests between the browser and the public URL, useful for identifying failed requests or slow responses.

  • Console output: May show JavaScript errors or blocked resource warnings.

When contacting Delinea Support about web application issues, provide the PRA workload logs, a HAR file, and browser console output.

Web Application Issues

If a private web application does not load or render correctly:

  1. Verify the private URL is reachable from the Platform Engine host.

  2. Check the PRA workload logs on the engine for errors. See Troubleshooting the PRA Workload for log file locations and naming conventions.

  3. You can also view engine and workload logs in the Platform UI. (Learn more)

  4. Note that WebSockets are not supported. Some web applications that rely on WebSockets for real-time updates may not function as expected.

If the issue persists, collect a browser HAR file and console output alongside the PRA workload logs when contacting Delinea Support.

Web Application Returns 500 Error or Redirect Loop After Authentication

If the web application displays a 500 Internal Server Error, a redirect loop, or an OIDC/SAML authentication failure when launched through PRA, the cause is likely that the application's web server or identity provider is not configured to accept the public Delinea hostname.

How PRA forwards requests: When a user launches a web application through PRA, the browser connects to the public URL (for example, https://myapp-myco.go.delinea.app). PRA proxies this request to the private URL, forwarding the Host header as the public hostname. Applications that are configured to accept only their private IP address or internal hostname will reject or mishandle these requests.

Common symptoms:

  • HTTP 500 error served by the application (not by PRA or Delinea)

  • The browser is redirected to the application's private IP address

  • OIDC login fails with an issuer mismatch or invalid redirect_uri

Confirming the root cause: If the PRA workload can reach the private URL directly (for example, via curl from the engine host), but the browser session fails, the issue is in the application's hostname or identity provider configuration — not in PRA connectivity.

Resolution — changes required on the application server (not in Delinea):

The following changes must be made by the customer's application administrator:

  1. Web server: Add the public Delinea hostname (for example, myapp-myco.go.delinea.app) as an accepted hostname in the virtual host configuration (ServerName / ServerAlias in Apache; server_name in nginx).

  2. Identity provider frontendUrl or issuer URL: If the application uses an identity provider such as Keycloak, Azure AD, Okta, or another OIDC/SAML provider, update the IdP's frontend URL or issuer URL to the public Delinea hostname. This ensures the IdP's token and authorization endpoints advertise the correct public URL.

    Example (Keycloak): In Realm Settings, set Frontend URL to https://myapp-myco.go.delinea.app.

  3. IdP client redirect URIs: Add the public Delinea callback URL to the list of valid redirect URIs in the identity provider client configuration.

    Example (Keycloak): In the client settings for the application, add https://myapp-myco.go.delinea.app/* to Valid Redirect URIs.

These configuration steps vary by application and identity provider. Refer to the vendor's documentation for reverse proxy configuration. For example, Keycloak documents this under "Configuring Keycloak behind a reverse proxy." The customer's application vendor or support team can assist with the specific settings.

TLS certificates on the private URL: If the private web application uses a self-signed TLS certificate, enable Skip certificate check in the web application's TLS settings in Delinea Platform, or upload the CA certificate used to sign the application's certificate.