INC-151253 · Issue 607624
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.5.2
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.
SR-124747 · Issue 186549
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-126719 · Issue 189646
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the trust store where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-126719 · Issue 177348
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-126719 · Issue 178793
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-C73100 · Issue 411034
Synchronized block method added to load keystore set with RUF
Resolved in Pega Version 8.1.2
A recent enhancement allows for the SAML auth service to use a reference to an external file for the signing certificate keystore. When the keystore had the password set using a Rule-Utility-Function, rather than being static, there were intermittent login fails with the error "unable to process SAML WebSSO request1" on the screen, and the RULES logs contained thousands of entries of an error indicating "Password is wrong". It was sometimes possible to log in by starting a new browser sessions and trying again. This was an issue with the PasswordHash property being changed from a static to a non-static field: it was not thread safe, though each object got its own copy of the instance, because if two or more threads call the setPasswordHash() method on the same object, all of these threads tried to simultaneously update the passwordHash instance variable and incorrect results were seen. To correct this, the system will use a synchronized block when loading the entries into cache in the getKey() method - Caller function of KeystoreCacheImpl.java.
INC-214974 · Issue 721181
Documentation updated for accessing D_pyUserInfoClaims
Resolved in Pega Version 8.6.5
When logging in using Org Credentials, trying to get the user details from D_pyUserInfoClaims did not return any information. This was due to the D_pyUserInfoClaims datapage being available only after authentication, so the claims information was not available during operator provisioning. The documentation located at https://docs.pega.com/security/86/mapping-operator-information-openid-connect-sso-authentication-service has been updated to include the following note: "This page becomes available and can only be accessed post authentication."
INC-130703 · Issue 597255
Operator provisioning on authentication service corrected
Resolved in Pega Version 8.5.2
When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.
INC-176138 · Issue 723082
Performance improvements for save-as
Resolved in Pega Version 8.6.5
Performance issues were seen when using save-as for rules such as Declare expression, When rules, activity, etc. This was traced to a very large number of extra database queries that were being executed while building the Declarative Cache. To resolve this, an update has been made so the queries used for the Declarative Cache will only be executed when required.
INC-198555 · Issue 720901
Performance improvements for save-as
Resolved in Pega Version 8.6.5
Performance issues were seen when using save-as for rules such as Declare expression, When rules, activity, etc. This was traced to a very large number of extra database queries that were being executed while building the Declarative Cache. To resolve this, an update has been made so the queries used for the Declarative Cache will only be executed when required.