SR-D46681 · Issue 514432
SnapStart supports SAML2 Authentication
Resolved in Pega Version 8.3.2
When using an HTTP Post to SnapStart into Pega using PRCustom style or PRAuth style SAML authentication, the login was looping back to the login request. Investigation showed that the Pega ACS was posting data properly back to the RelayState URL, however the login activity was not getting the SAMLResponse and simply sent a SAML Login Request again. This has been fixed by updating reqContextURI in case of SAML2 Authentication service so pyActivity=value will be passed.
SR-D29127 · Issue 506863
SAML data pages restored after passivation
Resolved in Pega Version 8.2.4
If login used SAML SSO, resuming the session after passivation resulted in missing or empty data pages when using an SAP integration with Pega Cloud. This was traced to a security change that modified the D_SAMLAssertionDataPage and D_SamlSsoLoginInfo data pages as readonly, causing them to not be passivated under these conditions. To resolve this, the data pages have been made editable so they will be restored as expected. This change also resolves any difficulty with SAML logoff activities in conjunction with SAP and Pega Cloud.
SR-D54120 · Issue 541351
Improved handling for attachments not using UTF-8 encoding
Resolved in Pega Version 8.3.2
When an email was received that used a charset encoding other than UTF-8, special characters in the HTML body were not displayed and instead the replacement character was shown. To resolve this, the system will read the encoding from the email rather than use the meta tag, and will add the attachment's HTML encoding information in Data-WorkAttach-File so that the same can be used to process and display the original HTML properly.
SR-D41454 · Issue 506535
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D58702 · Issue 519241
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D63232 · Issue 524294
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.3.2
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D56409 · Issue 520742
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.3.2
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D28460 · Issue 509365
Added timeout handling for non-PRAuth servlets
Resolved in Pega Version 8.2.4
After logging in via external authentication service (SAML Single Sign On) and setting up a timeout in the access group RuleForm, when the user performed any action and the server identified the request to be timed-out, it was expected that a SAML request would be sent from the browser to the external Authentication Server (referred as IDP) and the flow would proceed from there. This worked as expected for a non-AJAX request. To resolve this, handling has been added for timeout when using non-PRAuth authentication services.
SR-D50539 · Issue 521149
DB locking improved for login performance
Resolved in Pega Version 8.3.2
A slowness issue seen when trying to login to my.pega.com was traced to numerous DB locks occurring on the pr_data_saml_authreqcontext table during the SAML flow. Analysis showed that while running Obj-Save on AuthRequestContext with 'OnlyIfNew' as false, the check caused a select query to run on the table to determine if the context was already there and insert it if it was not. To resolve this, the onlyIfNew check will default to true to avoid running the query; if the context is already present it will be overridden. Duplicate key exception handling has also been added to avoid any issues if a resave is done with same key.
SR-D37894 · Issue 505974
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.3.2
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.