SR-A101242 · Issue 270252
STS Policy parsing fixed for Apache Rampart
Resolved in Pega Version 7.2.2
Changes to the Apache Rampart code in Pega 7 introduced an error with parsing the the Web-Service-Policy with a PRCustom activity that writes the SAML token to the requestor during login with an STS / SSO context. This has been rectified by creating an object of com.pega.apache.ws.secpolicy.model.HttpsToken class and setting values based on the parameters set in the received policy assertion.
INC-151253 · Issue 607624
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.5.2
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.
SR-D28460 · Issue 509364
Added timeout handling for non-PRAuth servlets
Resolved in Pega Version 8.3.1
After logging in via external authentication service (SAML Single Sign On) and setting up a timeout in the access group RuleForm, when the user performed any action and the server identified the request to be timed-out, it was expected that a SAML request would be sent from the browser to the external Authentication Server (referred as IDP) and the flow would proceed from there. This worked as expected for a non-AJAX request. To resolve this, handling has been added for timeout when using non-PRAuth authentication services.
SR-D33491 · Issue 511726
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.3.1
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-D43811 · Issue 511920
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.3.1
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-B55660 · Issue 316375
Removed "SHA1" hard coding from SAMLRedirectBindingHandler
Resolved in Pega Version 7.3.1
SAML logout failure was seen after using SHA256 signature encoding on an IDP that does not support SOAP. Previously,"SHA1" was hard coded to be used for verification of certificate during logout in the case of HTTP-Redirect Binding; this hard coding has now been removed from SAMLRedirectBindingHandler.verify() .
INC-157095 · Issue 638808
Enhancement added for tenant-level authentication
Resolved in Pega Version 8.7
In a multi-tenant PDC with a few tenants that utilize their own custom SSO, a pre-authentication activity inside a tenant that should block community access was also affecting tenants that did not have that pre-auth activity set. This was a missed use case and has been resolved by adding a tenantId hash in SchemePRAuth.makeUniqueSchemeName() to create the authServiceName.
INC-130703 · Issue 597255
Operator provisioning on authentication service corrected
Resolved in Pega Version 8.5.2
When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.
INC-177737 · Issue 663141
Authentication requirement updated for CallConnector
Resolved in Pega Version 8.7
After update, invoking a REST API call during SSO login which eventually called pxCallConnector (Final Activity) in @baseclass Pega-RulesEngine failed at the CallConnector step. This was caused by a change in recent Pega versions which enabled authentication for this activity, and has been resolved by marking the activity as internal and disabling the authentication requirement.
SR-A24408 · Issue 248682
Page clearing added for AuthReqContex
Resolved in Pega Version 7.2.2
The page "AuthReqContex" was loaded up during SAML authentication and then passivated, but the pages were retained in the clipboard and improperly activated by an unknown thread, causing an error. This has been resolved by adding Page-Remove steps wherever needed in auth activity and logout activity (AuthReqContext, LoginInfo, ReqInfo, RelayStateInfo, and SessionInfo) to remove the pages that are no longer needed.