SR-119800 · Issue 177840
Security policy transaction mismatch error resolved
Resolved in Pega Version 7.1.8
If security policies are enabled, logging out and then logging in prompts a password change. If the password was changed and then the page was refreshed, a transaction mismatch error occurred. This was caused by incomplete clearing of the password setting transaction, and the system has been updated to properly switch transactions.
SR-123636 · Issue 184161
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-123636 · Issue 181701
Trojan horse protection auto-enabled
Resolved in Pega Version 7.1.8
The authentication/trojanhorseprotection previously defaulted to NEVER, creating a security vulnerability. The trojanhorseprotection setting now defaults to external.
SR-124473 · Issue 186179
Added handling for unauthenticated asynchronous SOAP service
Resolved in Pega Version 7.1.8
After implementing changes to work around an error with SOAP authentication, the unauthenticated asynchronous SOAP service generated an error and failed to complete. This was due to the changes to the authentication process omitting the asynchronous mode case when a SOAP service that intended to not use authentication ends up calling a sub-activity that requires authentication. This use case is now covered.
SR-126719 · Issue 177348
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-126719 · Issue 178793
Added fallback keyinfo handling
Resolved in Pega Version 7.1.8
When a SAML assertion response is received in the authentication activity, an error indicated the KeyInfo was missing in the signature. This was caused by a lack of redundancy in the keyinfo handling that caused an exception when keyinfo was not included in the SAML response. Support has now been added to check the certificate in the truststore where the certificate from IDP metadata would have been imported, and there is an added null check in the debug logs.
SR-128463 · Issue 193907
Create KeyRing updated for split schema
Resolved in Pega Version 7.1.8
If a command line script is configured (viz. keyringGen.sh) to encrypt user passwords for prconfig.xml databases using Keyring utility, a prconfig.xml could have three database entries but the keyring tool only prompted for two databases and did not allow encrypting password for the user for the third database. The prconfig.xml file requires very specific location information to run: to resolve this, the variables to hold schema name in case of split schema configuration have been added.
INC-118838 · Issue 560694
OKTA receives parameters on logout
Resolved in Pega Version 8.4.2
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
INC-118927 · Issue 571492
Resolved OAuth2 mobile app loop
Resolved in Pega Version 8.4.2
When a Pega OAuth2 authorize endpoint was invoked and the redirect URI contained "app", a loop was created where the system attempted to fetch the app alias from the state parameter value and was redirected back to itself. This could sometimes result in inconsistent mobile app styling. Investigation showed that a certificate with keyword app that was picked for the redirect URI could have the key word assumed to be the app alias context, so a workaround was to remove the app keyword. To resolve the issue, the system has been updated to look for the app alias only in the state parameter rather than perform a string contains check on the entire query string.
INC-125095 · Issue 560831
SAML authreqcontext duplicate key exception logging changed to debug
Resolved in Pega Version 8.4.2
As part of work done to improve the performance of the pr_data_saml_authreqcontext table during the SAML flow, the duplicate key exception handing was creating a large number of unique constraint log messages while saving sessionInfo to the database during SAML authentication if ADFS was used because the ADFS provider session Info is always blank. This has been resolved by changing the log statement in the duplicate key exception handling to debug.