SR-B38317 · Issue 295056
Password expiry logic updated to use start of day
Resolved in Pega Version 7.3
Previously, the password expiry logic was based on a tight format of number of days+ timeStamp. This caused scenarios such as not prompting for a password reset when user logs in, but rather at the exact time stamp of the previous change even if that comes in the middle of work and throws the user out of the session. To avoid this behavior, the password expiry logic is now based on number of days logic with timeStamp defaulted to start of day (00.00) taking care of locale and getting difference in number of days.
INC-134046 · Issue 575238
database locking improved for login performance
Resolved in Pega Version 8.5
A slowness issue seen when trying to login to my.pega.com was traced to numerous database locks occurring on the pr_data_saml_authreqcontext table during the SAML flow. Analysis showed that while running Obj-Save on AuthRequestContext with 'OnlyIfNew' as false, the check caused a select query to run on the table to determine if the context was already there and insert it if it was not. To resolve this, the onlyIfNew check will default to true to avoid running the query; if the context is already present it will be overridden. Duplicate key exception handling has also been added to avoid any issues if a resave is done with same key.
SR-D79181 · Issue 551124
OKTA receives parameters on logout
Resolved in Pega Version 8.5
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-B44199 · Issue 300058
Fixed Access Control Policy in Assign- classes
Resolved in Pega Version 7.3
An error was generated when attempting to create an Access Control Policy in Assign- classes. This was due to a missing use-case, and has been corrected.
SR-B44199 · Issue 299984
Fixed Access Control Policy in Assign- classes
Resolved in Pega Version 7.3
An error was generated when attempting to create an Access Control Policy in Assign- classes. This was due to a missing use-case, and has been corrected.
SR-B44199 · Issue 297134
Fixed Access Control Policy in Assign- classes
Resolved in Pega Version 7.3
An error was generated when attempting to create an Access Control Policy in Assign- classes. This was due to a missing use-case, and has been corrected.
SR-B42009 · Issue 304044
Authentication timeout smoothed for re-login
Resolved in Pega Version 7.3
If custom authentication was used with a stream specified to enter credentials upon authentication timeout, re-login failed after the timeout. This was traced to two issues: first, the custom configuration defaulted to using the out-of-the-box stream "Web-TimeOut", which expects the password to be in base64 encoded format and so attempts to base64 decode it. This caused an authentication failure. Second, when restarting with authentication instead of a timed-out request, the starting activity of operator was being executed and the portal was rendered unexpectedly. To resolve this, the object references needed for the successful resumption will be cloned when there is authentication timeout and used for redirection upon successful authentication.
SR-B38602 · Issue 296751
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-B38602 · Issue 297290
Login error message modified for increased security
Resolved in Pega Version 7.3
When an operator was configured to use External authentication and then attempted to login through other servlets, the error message included the operator ID. This could be used maliciously to discover valid IDs on the system, so in order to improve security, the process has been modified to remove the ID from the failure message. If authentication fails, the message "The information you entered was not recognized." will be displayed and the system will log an error message in the PegaRULES log file with the actual message "Error authenticating , : This user must use external authentication."
SR-D96395 · Issue 555118
CDK key loading modified for better database compatibility
Resolved in Pega Version 8.5
Users were unable to log on to the system and received the error "There has been an issue; please consult your system administrator." Investigation showed the log errors stating "(dataencryption.DataKeyProvider) ERROR localhost - Could not get CDK from systemKeyManagementCache - System CDK is null". This was an issue specific to the MS SQL Server database when there were 6 or more CDKs in the database: CDK keys are loaded from database into Cache using an SQL statement which had the ORDER clause. By default, the ORDER clause treats NULL values differently on different databases, and this caused MS SQL databases to not load a necessary CDK key. To resolve this, the SQL query has been modified so the result will be the same for all supported daatbases (Oracle, Postgres & MS SQL Server).