INC-217974 · Issue 715429
Handling added BIX extraction failure when called from custom activity
Resolved in Pega Version 8.6.5
After update, BIX extraction was failing but email from the schedulers indicated success. Investigation showed that when extract was called from a custom activity by calling pxExtractDataWithArgs, the stepStatusFail 'when' rule in the custom activity was not capturing all the exceptions specific to database extracts. This has been resolved by adding the necessary handling.
INC-173725 · Issue 656480
Logic updated for DX API retrieving View/Action ID using embedded property
Resolved in Pega Version 8.7
While calling the DX API using Assignment ID and action ID, a 500 error response was logged indicating that the server encountered an unexpected condition that prevented it from fulfilling the request. Investigation traced this to the logic used for resolving an embedded property referenced in a control/field to identify the correct page class. In a non-work object context for flow actions the new assign page doesn't exist, but the system was checking for it and clearing off errors from the named page. This has been corrected.
INC-176274 · Issue 666390
Timeout check added to authorization to preserve portal context
Resolved in Pega Version 8.7
When using SAML SSO Authentication Service with "Use access group timeout" and "Redirect to IDP login after logout" selected and "Force authentication" not selected, manually logging out correctly returned the view to the custom SSO login page but the timeout logout returned the default Pega login page as if SSO was not in use. Analysis showed there was a "Failed to open portal" error after doing some action post timeout, and this was traced to pyPortal page not having a value. Investigation showed this was blank due to the creation of new thread while the requestor state was perceived as unauthenticated because of the timeout. To resolve this, a timeout check has been added to the following: Authorization#setActiveAccessGroup(java.lang.String, boolean, boolean, java.util.Map) BasicApplicationContextImmutableImpl#applyApplicationProperties
SR-D28460 · Issue 509365
Added timeout handling for non-PRAuth servlets
Resolved in Pega Version 8.2.4
After logging in via external authentication service (SAML Single Sign On) and setting up a timeout in the access group RuleForm, when the user performed any action and the server identified the request to be timed-out, it was expected that a SAML request would be sent from the browser to the external Authentication Server (referred as IDP) and the flow would proceed from there. This worked as expected for a non-AJAX request. To resolve this, handling has been added for timeout when using non-PRAuth authentication services.
SR-D33491 · Issue 511727
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.2.4
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-D43811 · Issue 511921
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.2.4
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
INC-157095 · Issue 638808
Enhancement added for tenant-level authentication
Resolved in Pega Version 8.7
In a multi-tenant PDC with a few tenants that utilize their own custom SSO, a pre-authentication activity inside a tenant that should block community access was also affecting tenants that did not have that pre-auth activity set. This was a missed use case and has been resolved by adding a tenantId hash in SchemePRAuth.makeUniqueSchemeName() to create the authServiceName.
INC-214974 · Issue 721181
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.6.5
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/86/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."
INC-177737 · Issue 663141
Authentication requirement updated for CallConnector
Resolved in Pega Version 8.7
After update, invoking a REST API call during SSO login which eventually called pxCallConnector (Final Activity) in @baseclass Pega-RulesEngine failed at the CallConnector step. This was caused by a change in recent Pega versions which enabled authentication for this activity, and has been resolved by marking the activity as internal and disabling the authentication requirement.
SR-D25972 · Issue 501482
Handling added for custom error message in post-authentication activity
Resolved in Pega Version 8.2.4
The error message in post authentication activity was always appearing as 'Login terminated because a post-authentication activity or policy failed' irrespective of the actual message being conditionally set in the activity based on post authentication logic. Investigation showed that the parameter page in the SSO post-authentication activity was not being passed to the 'pzShowAuthPolicyError' activity due to the post-authentication activity executing in authenticated context whereas the HTML fragment executed in the un-authenticated context. In order to support this use, post-authentication activity will set the error message on a predefined property and propagate that to the HTML fragment by appending the error message as a query parameter in the redirect exception URL post-authentication failure.