INC-198571 · Issue 708634
SSO update
Resolved in Pega Version 8.8
In order to ensure shared SSO direct links are used as intended, an update has been made which will explicitly require re-authentication for each use of a direct link.
INC-222404 · Issue 727870
AccessToken can be used for both OIDC SSO and Connect-REST
Resolved in Pega Version 8.8
When trying to specify the AuthenticationProfile with grant_type ‘authorization_code’ in the Connect-REST rule, the AccessToken was not being retrieved, and the error "services.OutboundMappingException: Caught Exception while creating OAuth2 client, Caused by: PRRuntimeException: Unable to obtain access token for client details in authentication profile configured for connector" was generated. The usage case desired is to use the same token for both OIDC SSO and Connect-REST. This worked when the scope was the same, but the key was constructed with a space between the scope and the operator ID while saving the token to the cache. The constructed key did not have this space when fetching the token during Connect-REST. To support the desired use, logic has been added to make the appropriate trim for scope in cache key generation in oauth2clientimpl.
INC-207996 · Issue 709665
Check added for parent case dependency if deferred-save is used
Resolved in Pega Version 8.8
After updating the status of a parent case to "Pending-ChildCaseDependency", the wait shape for the child case that should have been triggered by the status did not work and the child case remained on hold. This was a missed use case for the pxCheckFlowDependencies activity where defer-save operations on Index-AssignDeps class was not considered, and may happen when the Queue Processor is evaluating the dependencies while instances to Index-AssignDeps are not committed yet. To resolve this, code has been added to check the entry of the parent case dependency in deferred-save if its not present in Index-AssignmentDeps table.
INC-215343 · Issue 711143
Security updates
Resolved in Pega Version 8.8
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-211426 · Issue 706059
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-216053 · Issue 716445
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-207218 · Issue 706367
Check added to prevent duplicate approval by single agent
Resolved in Pega Version 8.8
When using a cascading Approvals process supported both by a web access button or by responding via email, a single agent could use both methods and advance a case an additional step as if they were the next approval level. This was due to the system only checking the pzInsKey when processing the approval while the assignment key will be the same for the cascading approvals assignments. This has been resolved by introducing a datetime check to validate if the email approval assignment creation datetime and the one in the database have same value; if yes the approval process will proceed and if not it will exit.
INC-215499 · Issue 714488
Assignment routing updated for swimlanes
Resolved in Pega Version 8.8
Routing options were not working for workbasket routing when using swimlanes. Investigation showed that when an assignment was added inside the swimlane, the assignment type value was defaulting to Worklist on submit of the assignment property panel. Manually changing it to workqueue did not make the routing section visible. This has been resolved by adding a 'visible when' condition to the "Route To" field to check if the assignment is not in the swimlane. The same check has been added to a 'disable when' condition for the 'Assignment type' drop down.
INC-216154 · Issue 718234
SMTPPort parameter will be passed to ForgotPasswordUtil
Resolved in Pega Version 8.8
When a user triggered the "Trouble Signing in" function, the SentEmailNotification activity connection was trying to use port 25 even if the SMTP Port was configured as 587 in the Email Account instance. This was due to the SMTP Port not being passed to the SentEmailNotification activity, causing a fallback to port 25 for non-SSL connections. In order to ensure SendEmailNotification uses a specified port if configured, pySMTPPort will be passed to ForgotPasswordUtil.java.
INC-224299 · Issue 736466
CaseTypeClass property created in @baseclass for better upgrade compatibility
Resolved in Pega Version 8.8
When trying to use page-validate on pyWorkPage the error "The page contains an undefined property: pyWorkPage.pyAddableWorkList(1).caseTypeClass\nValidation failed: Errors Detected" was generated. This was traced to the difference in handling for old casetypes from earlier versions of Pega, and has been resolved by creating the caseTypeClass property in @baseclass.