SR-D43811 · Issue 511921
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.2.4
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-B55660 · Issue 316375
Removed "SHA1" hard coding from SAMLRedirectBindingHandler
Resolved in Pega Version 7.3.1
SAML logout failure was seen after using SHA256 signature encoding on an IDP that does not support SOAP. Previously,"SHA1" was hard coded to be used for verification of certificate during logout in the case of HTTP-Redirect Binding; this hard coding has now been removed from SAMLRedirectBindingHandler.verify() .
INC-157095 · Issue 638808
Enhancement added for tenant-level authentication
Resolved in Pega Version 8.7
In a multi-tenant PDC with a few tenants that utilize their own custom SSO, a pre-authentication activity inside a tenant that should block community access was also affecting tenants that did not have that pre-auth activity set. This was a missed use case and has been resolved by adding a tenantId hash in SchemePRAuth.makeUniqueSchemeName() to create the authServiceName.
INC-177737 · Issue 663141
Authentication requirement updated for CallConnector
Resolved in Pega Version 8.7
After update, invoking a REST API call during SSO login which eventually called pxCallConnector (Final Activity) in @baseclass Pega-RulesEngine failed at the CallConnector step. This was caused by a change in recent Pega versions which enabled authentication for this activity, and has been resolved by marking the activity as internal and disabling the authentication requirement.
INC-211426 · Issue 706060
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.7.2
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-216053 · Issue 716444
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.7.2
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
SR-D25972 · Issue 501482
Handling added for custom error message in post-authentication activity
Resolved in Pega Version 8.2.4
The error message in post authentication activity was always appearing as 'Login terminated because a post-authentication activity or policy failed' irrespective of the actual message being conditionally set in the activity based on post authentication logic. Investigation showed that the parameter page in the SSO post-authentication activity was not being passed to the 'pzShowAuthPolicyError' activity due to the post-authentication activity executing in authenticated context whereas the HTML fragment executed in the un-authenticated context. In order to support this use, post-authentication activity will set the error message on a predefined property and propagate that to the HTML fragment by appending the error message as a query parameter in the redirect exception URL post-authentication failure.
SR-B66454 · Issue 316846
Support added for filtering labels in Join
Resolved in Pega Version 7.3.1
When class join was used in a report and the property used for filtering was a SinglePage property of the join class, then the label was not coming up in the Report Filter section. This was due to filtering labels not being shown when Join is used, and support for this has been added.
SR-B41092 · Issue 315609
Large Data Page works on repeating layout
Resolved in Pega Version 7.3.1
Using LDPs for Dynamic selects worked as expected in a mobile app, but not when used for a repeating layout in a mobile app or offline. This was traced to an issue when DP with node scope was used; regex to get the actual DP name from hashed version was not working. This has been fixed.
SR-B73514 · Issue 324049
Added new function to bypass URLScan MaxURLLength
Resolved in Pega Version 7.3.1
When Pega is fronted by Microsoft IIS WebServer with either a proxy or Web Application Server plugin, the IIS advanced security options, URLScan, are used to limit the size of URLs. When the URLScan MaxURLLength is set below about 600 characters a major static content request for core PRPC UI JavaScript files is blocked. This is a known issue when using IIS Web Server, but to enable expanded use, a 'when' function named pyIsForcedSplitJS has been added that allows overwrite as required by dividing pzHarnessStaticScripts into 4 chunks to decrease length. The format is