SR-116347 · Issue 166799
Error resolved for adding Stage Step Specifications using RTE and Google Chrome
Resolved in Pega Version 7.1.7
While configuring a stage behavior in Google Chrome, if a user had focus within the Rich Text Editor for a specification and submitted the modal, an error was generated. This was caused by an invalid post-value check, and the unnecessary post value has been removed.
INC-173725 · Issue 656480
Logic updated for DX API retrieving View/Action ID using embedded property
Resolved in Pega Version 8.7
While calling the DX API using Assignment ID and action ID, a 500 error response was logged indicating that the server encountered an unexpected condition that prevented it from fulfilling the request. Investigation traced this to the logic used for resolving an embedded property referenced in a control/field to identify the correct page class. In a non-work object context for flow actions the new assign page doesn't exist, but the system was checking for it and clearing off errors from the named page. This has been corrected.
INC-176274 · Issue 666390
Timeout check added to authorization to preserve portal context
Resolved in Pega Version 8.7
When using SAML SSO Authentication Service with "Use access group timeout" and "Redirect to IDP login after logout" selected and "Force authentication" not selected, manually logging out correctly returned the view to the custom SSO login page but the timeout logout returned the default Pega login page as if SSO was not in use. Analysis showed there was a "Failed to open portal" error after doing some action post timeout, and this was traced to pyPortal page not having a value. Investigation showed this was blank due to the creation of new thread while the requestor state was perceived as unauthenticated because of the timeout. To resolve this, a timeout check has been added to the following: Authorization#setActiveAccessGroup(java.lang.String, boolean, boolean, java.util.Map) BasicApplicationContextImmutableImpl#applyApplicationProperties
SR-117815 · Issue 170081
Updated UUID generation to function with Ping Identity
Resolved in Pega Version 7.1.7
Issues were experienced in trying to achieve connectivity using SAML 2.0 for an SSO solution. Ping Identity imposes a constraint on the format of the Request ID that it receives, and fails if that ID does not start with a letter or underscore. This ID is a random UUID generated by java code, and it had no set leading character. In order to allow full interoperability, the UUID generation has been replaced with a custom implementation which generates unique IDs starting with "_".
SR-A101242 · Issue 270252
STS Policy parsing fixed for Apache Rampart
Resolved in Pega Version 7.2.2
Changes to the Apache Rampart code in Pega 7 introduced an error with parsing the the Web-Service-Policy with a PRCustom activity that writes the SAML token to the requestor during login with an STS / SSO context. This has been rectified by creating an object of com.pega.apache.ws.secpolicy.model.HttpsToken class and setting values based on the parameters set in the received policy assertion.
INC-151253 · Issue 607624
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.5.2
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.
INC-151253 · Issue 607625
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.6
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.
INC-157095 · Issue 638808
Enhancement added for tenant-level authentication
Resolved in Pega Version 8.7
In a multi-tenant PDC with a few tenants that utilize their own custom SSO, a pre-authentication activity inside a tenant that should block community access was also affecting tenants that did not have that pre-auth activity set. This was a missed use case and has been resolved by adding a tenantId hash in SchemePRAuth.makeUniqueSchemeName() to create the authServiceName.
INC-130703 · Issue 597255
Operator provisioning on authentication service corrected
Resolved in Pega Version 8.5.2
When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.
INC-130703 · Issue 597254
Operator provisioning on authentication service corrected
Resolved in Pega Version 8.6
When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.