INC-199271 · Issue 699654
SAML-based SSO security updated
Resolved in Pega Version 8.5.6
Security updates have been made relating to SAML-based SSO code.
SR-B37819 · Issue 296299
SAML SessionInfo cleanup enhanced
Resolved in Pega Version 7.3
The following SAML issues have been corrected: 1) when IDP logout URL was empty, SAMLSingleLogOff activity generated an exception; 2) the SAML Session info record was not deleted during logout process even when given a valid IDP logout URL; 3) the SAML session info record was not deleted for both SP and IDP initiated logouts.
SR-B43950 · Issue 300643
SAML SessionInfo cleanup enhanced
Resolved in Pega Version 7.3
The following SAML issues have been corrected: 1) when IDP logout URL was empty, SAMLSingleLogOff activity generated an exception; 2) the SAML Session info record was not deleted during logout process even when given a valid IDP logout URL; 3) the SAML session info record was not deleted for both SP and IDP initiated logouts.
SR-B43950 · Issue 301551
SAML SessionInfo cleanup enhanced
Resolved in Pega Version 7.3
The following SAML issues have been corrected: 1) when IDP logout URL was empty, SAMLSingleLogOff activity generated an exception; 2) the SAML Session info record was not deleted during logout process even when given a valid IDP logout URL; 3) the SAML session info record was not deleted for both SP and IDP initiated logouts.
SR-D29127 · Issue 506862
SAML data pages restored after passivation
Resolved in Pega Version 8.3.1
If login used SAML SSO, resuming the session after passivation resulted in missing or empty data pages when using an SAP integration with Pega Cloud. This was traced to a security change that modified the D_SAMLAssertionDataPage and D_SamlSsoLoginInfo data pages as read-only, causing them to not be passivated under these conditions. To resolve this, the data pages have been made editable so they will be restored as expected. This change also resolves any difficulty with SAML logoff activities in conjunction with SAP and Pega Cloud.
SR-D41482 · Issue 507883
SAML data pages restored after passivation
Resolved in Pega Version 8.3.1
If login used SAML SSO, resuming the session after passivation resulted in missing or empty data pages when using an SAP integration with Pega Cloud. This was traced to a security change that modified the D_SAMLAssertionDataPage and D_SamlSsoLoginInfo data pages as read-only, causing them to not be passivated under these conditions. To resolve this, the data pages have been made editable so they will be restored as expected. This change also resolves any difficulty with SAML logoff activities in conjunction with SAP and Pega Cloud.
INC-182530 · Issue 695759
SAML datapages cleared before new authentication
Resolved in Pega Version 8.5.6
If a previous user had not logged out or timed out when using SAML authentication, a second person using the same device/browser would end up in the first user's session after performing their own authentication. Investigation showed the second login D_SAMLAssertionDataPage was not getting refreshed with the current user login details; this has been resolved by explicitly deleting the SAML Datapages before processing a new login if the session has not timed out.
SR-D23239 · Issue 499595
Support added for multi-operator SAML logins
Resolved in Pega Version 8.3.1
When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-B17403 · Issue 297717
Resolved concurrent mod exceptions when using getValueInType API
Resolved in Pega Version 7.3
Concurrent modification exceptions were observed in the logs when the getValueInType API was called to fetch property values from multiple threads. To resolve this, the getValueInType API has been made thread safe by synchronizing its access.
SR-D43141 · Issue 512433
Support added for iFrame Mashup resize when using SPA
Resolved in Pega Version 8.3.1
After upgrade, issues were seen with an iFrame holding a Mashup not resizing as expected. This was traced to the use of an SPA portal inside mashup, and has been resolved by explicitly invoking the doharnessResize API to set proper height on iframe when using SPA.