INC-160024 · Issue 625831
Deprecated authentication methods removed
Resolved in Pega Version 8.6
After upgrade, attempting to trigger the Pega hosted API externally through Post Man resulted in the exception "The method getAuthenticationService() is undefined for the type OAuth2AccessTokenValidation". This was traced to the use of references to the methods getAuthenticationService() and getAuthenticationServiceType(), which are not in use from v8.5 onwards in pzOAuth2AuthenticationActivity and have now been removed. For OAuth2 authentication, the service package should use authentication type as OAuth2; the system will then take care of validating the token and establishing the operator context.
INC-161660 · Issue 633032
Authorization token handling and cleanup improved
Resolved in Pega Version 8.6
When using a mobile app configured with default authentication, clicking on the "Trouble logging in?" link opened a new window and displayed the message "please contact your system administrator" along with the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY CODE-SECURITY PZGETAUTHORIZATIONCODE". This has been resolved. In addition, the OAuth token generation and handling has been improved, and the purge agent has been updated to accept a DSS setting for the max number of expired records to purge each time it is run. The default value is 5000.
SR-SR-D79737 · Issue 602304
Improvements for Report Definition OperatorID filtering
Resolved in Pega Version 8.6
Report Definition filters were not working as expected when data from the OperatorID page was used and authentication was enabled. This was traced to the OperatorID page not being correctly populated. To resolve this, the authentication logic has been modified to always create the OperatorID page at requestor level, and the HTTP API layer has been updated to remove the thread level OperatorID page if exists. In addition, an enhancement has been added for improved debugging on log appenders provided by log4j which allows log filtering based on the requestor and thread for a given appender at a specific log level.
INC-118838 · Issue 560694
OKTA receives parameters on logout
Resolved in Pega Version 8.4.2
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
INC-118927 · Issue 571492
Resolved OAuth2 mobile app loop
Resolved in Pega Version 8.4.2
When a Pega OAuth2 authorize endpoint was invoked and the redirect URI contained "app", a loop was created where the system attempted to fetch the app alias from the state parameter value and was redirected back to itself. This could sometimes result in inconsistent mobile app styling. Investigation showed that a certificate with keyword app that was picked for the redirect URI could have the key word assumed to be the app alias context, so a workaround was to remove the app keyword. To resolve the issue, the system has been updated to look for the app alias only in the state parameter rather than perform a string contains check on the entire query string.
INC-125095 · Issue 560831
SAML authreqcontext duplicate key exception logging changed to debug
Resolved in Pega Version 8.4.2
As part of work done to improve the performance of the pr_data_saml_authreqcontext table during the SAML flow, the duplicate key exception handing was creating a large number of unique constraint log messages while saving sessionInfo to the database during SAML authentication if ADFS was used because the ADFS provider session Info is always blank. This has been resolved by changing the log statement in the duplicate key exception handling to debug.
INC-125429 · Issue 561892
OKTA receives parameters on logout
Resolved in Pega Version 8.4.2
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
INC-126640 · Issue 572264
Updated LDAP operator authentication handling
Resolved in Pega Version 8.4.2
After setting up LDAP authentication in an environment using Robotics which runs on Kerberos and configuring LDAP AD integration with a sAMAccountName [specific to Microsoft AD] attribute for the login, two operators were being created for a single user. Investigation showed this was caused by the operator's pyUserIdentifier being mapped in the LDAP service mapping attribute while the operator ID was using a different attribute (userPrincipalName) which was mapped to .pyUserIdentifier because the Kerberos authentication was done via userPrincipalName. For the first login, an operator was created as per the Search filter field. The next time the user logged in with the same ID, another operator was created using the userPrincipalName as per the mapping defined under the mapping tab. This has been resolved by updating LDAP handling. As part of the resolution, a precedence rule has been introduced which will give the highest precedence to a mapped pyUserIDentifier, then logged in operator name. If pyUserIdentifier is not mapped in authservice, the operator name will be the LDAP login operator name. If pyUserIdentifier is mapped in authservice, the operator name will be the LDAP attribute value which is mapped to pyUserIdentifier. If the mapped ldap attribute name is empty, login will fail. In addition, debugging logs have been added to aid in troubleshooting LDAP issues.
INC-126975 · Issue 574805
BrowserFingerprint generation timing updated
Resolved in Pega Version 8.4.2
When trying to 'Show Conflicts' on any Circumstance Template with CSRF enabled, there was an error on screen, the requestor was killed, and the PDC Client displayed a 'Browser fingerprint: undefined' error. Investigation showed that at the time the request was fired, the browserfingerprint had not yet been generated and hence was returned as undefined. This has been resolved by adding the code to generate the fingerprint before the request is invoked.
INC-128535 · Issue 566316
Exception handling updated for getRunTime
Resolved in Pega Version 8.4.2
After upgrade, a Java step related to API Runtime.getRunTime() was failing to execute UNIX commands in all applications that contained the code. Investigation showed that once the java injection code was detected, the API checkForJavaCodeInjection() reported an exception, but the exception should have been absorbed by the function calling it and was not. This has been resolved by updating the system to not throw the exception for old activities. In addition, an alert was generated for the Pega platform activity SysWebInfo. As this was a false alarm, an update has been made to not report such alerts for Pega platform activities.