INC-220663 · Issue 724471
BIX -J usage for DST can be used in Pega 7 mode
Resolved in Pega Version 8.8
After upgrade, there was a difference in the handling for a time zone with DST when executing a BIX extraction rule through command line arguments like -J with short form. In Pega 8.5+, -J CST6CDT always displays Date time to CDT; In Pega 7, -J CST6CDT displays Data Time based on CST or CDT (i.e. before daylight savings or not). This was due to changes made to set the time zone to address a different issue. While there is a workaround of using -J America/Los_Angeles, modifications have been made to support DST in the PEGA 7 format while running the BIX extraction rule from command line or with a "pxExtractDataWithArgs" activity with "-J" option.
INC-217974 · Issue 715428
Handling added BIX extraction failure when called from custom activity
Resolved in Pega Version 8.8
After update, BIX extraction was failing but email from the schedulers indicated success. Investigation showed that when extract was called from a custom activity by calling pxExtractDataWithArgs, the stepStatusFail 'when' rule in the custom activity was not capturing all the exceptions specific to database extracts. This has been resolved by adding the necessary handling.
SR-C70602 · Issue 415503
Changed async loading when attaching Files with PegaCloudFileStorage to address 3rd party PEGA0046 error
Resolved in Pega Version 8.1.3
When using PegaCloudFileStorage, a PEGA046 alert was observed when attaching a file to a work object. This was a cosmetic issue that did not affect functionality, and was traced to the use of an external logging system that is not part of the standard system development for Pega. In order to remove this alert, Step-5 (Load-DataPage) of Data-WorkAttach-File.pzSaveToRepository activity has been removed as asynchronous loading of D_pxNewFile data page is not required.
INC-173725 · Issue 656480
Logic updated for DX API retrieving View/Action ID using embedded property
Resolved in Pega Version 8.7
While calling the DX API using Assignment ID and action ID, a 500 error response was logged indicating that the server encountered an unexpected condition that prevented it from fulfilling the request. Investigation traced this to the logic used for resolving an embedded property referenced in a control/field to identify the correct page class. In a non-work object context for flow actions the new assign page doesn't exist, but the system was checking for it and clearing off errors from the named page. This has been corrected.
SR-C74047 · Issue 416353
Automatic Cloud Terminations updated with retry logic and exception handling for nodes being disconnected while in use
Resolved in Pega Version 8.1.3
Agents were being disabled when a node was about to be shut down and the lock operation timed out. This was traced to an issue where the Hazelcast operation timed out trying to communicate with a node that had not yet dropped out of the cluster but did shortly after, and was due to the refactored code around delegating to a cluster component missing a lock method. In order to ensure the cluster component handles such exceptions gracefully, the lock operation now contains retry logic along with exception handling that will return 'false' instead of raising an exception.
INC-215343 · Issue 711143
Security updates
Resolved in Pega Version 8.8
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-176274 · Issue 666390
Timeout check added to authorization to preserve portal context
Resolved in Pega Version 8.7
When using SAML SSO Authentication Service with "Use access group timeout" and "Redirect to IDP login after logout" selected and "Force authentication" not selected, manually logging out correctly returned the view to the custom SSO login page but the timeout logout returned the default Pega login page as if SSO was not in use. Analysis showed there was a "Failed to open portal" error after doing some action post timeout, and this was traced to pyPortal page not having a value. Investigation showed this was blank due to the creation of new thread while the requestor state was perceived as unauthenticated because of the timeout. To resolve this, a timeout check has been added to the following: Authorization#setActiveAccessGroup(java.lang.String, boolean, boolean, java.util.Map) BasicApplicationContextImmutableImpl#applyApplicationProperties
SR-B17037 · Issue 289405
Handling added for SP initiated logins
Resolved in Pega Version 7.3
Attempting a Service Provider (SP) initiated login request caused the error "The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria" to appear. This was due to the code used to identify whether the flow is IDP initiated or SP initiated SSO not having the handling for encrypted assertions. The system has now been updated to look for the relay state in the DB: if an entry is present then the SSO flow will be SP initiated, otherwise it will be IDP initiated.
INC-157095 · Issue 638808
Enhancement added for tenant-level authentication
Resolved in Pega Version 8.7
In a multi-tenant PDC with a few tenants that utilize their own custom SSO, a pre-authentication activity inside a tenant that should block community access was also affecting tenants that did not have that pre-auth activity set. This was a missed use case and has been resolved by adding a tenantId hash in SchemePRAuth.makeUniqueSchemeName() to create the authServiceName.
INC-214974 · Issue 721179
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.8
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/88/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."