SR-D79181 · Issue 551123
OKTA receives parameters on logout
Resolved in Pega Version 8.3.3
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D75498 · Issue 545068
Resolved null-pointer exception for Token based Authenticated Rest
Resolved in Pega Version 8.3.3
When logging in with auth0 OIDC auth service and then trying to use connect-Rest with an authentication profile using an auth0 provider, a null pointer error was generated indicating connect-Rest could not find the Access token. Even thought the Authentication service (OIDC) and authentication profile (authorization grant) both had the same scopes (“openid profile email”), OIDC flow and authentication profile save the Access Token with different scopes. Specifically, OIDC saves the token with an extra trailing space. Handling has been added to correct this.
SR-D92837 · Issue 551004
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D90452 · Issue 551808
SSOPreAuthenticationActivity runs until success
Resolved in Pega Version 8.3.3
When a user visited a public-facing application via a Single Sign-On (SSO) URL that redirected to SAML IDP for authentication, the first time the URL was hit the system correctly executed pySSOPreAuthenticationActivity as part of pre-authentication to determine if authentication is possible/allowed. If the pySSOPreAuthenticationActivity set the pyAuthenticationPolicyResult to 'false', authentication was not allowed: the user was not redirected to the IDP and an error message was shown. However, if the same URL is hit again after that rejection without any changes, the user was redirected to the IDP for authentication because the preauthentication activity was not run again. This has been resolved by updating the system to continue to call the pre-authentication activity for the SSO URL until a success status is returned by the activity.
INC-173596 · Issue 673104
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.8
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-188127 · Issue 678350
Updated cache key generation for ROPC
Resolved in Pega Version 8.8
After configuring outbound email functionality using MSGraph with OAuth 2.0, sending the emails failed consistently following passivation. Running "Test connectivity" in the Email Account data instance then seemed to restart the functionality and the automation "Create And Send Email" subsequently worked. This was traced to a missing username in the cache key generation for the Resource Owner Password Credentials (ROPC), which caused the same token to be fetched when attempting to dynamically generate different usernames, and has been resolved.
INC-194865 · Issue 695620
Corrected report definition save-as-image option
Resolved in Pega Version 8.8
Attempting to save a report definition as an image resulted in an access denied error stating "Browser fingerprint validation failed : A request was received with an invalid or missing browser fingerprint. The request was denied", and the user session was closed. The security SECU0017 alert is generated when a request is sent to a Pega application and the browser fingerprint is either missing or does not match the expected value. The system tries to check the type of request for every requestor ID and fetch the CSRF token, but in this case it was not matching with the token present on the requestor thread. This has been resolved by adding scripts to send the hidden input value needed.
INC-198571 · Issue 708634
SSO update
Resolved in Pega Version 8.8
In order to ensure shared SSO direct links are used as intended, an update has been made which will explicitly require re-authentication for each use of a direct link.
INC-202702 · Issue 713725
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.8
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.