SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D75498 · Issue 545068
Resolved null-pointer exception for Token based Authenticated Rest
Resolved in Pega Version 8.3.3
When logging in with auth0 OIDC auth service and then trying to use connect-Rest with an authentication profile using an auth0 provider, a null pointer error was generated indicating connect-Rest could not find the Access token. Even thought the Authentication service (OIDC) and authentication profile (authorization grant) both had the same scopes (“openid profile email”), OIDC flow and authentication profile save the Access Token with different scopes. Specifically, OIDC saves the token with an extra trailing space. Handling has been added to correct this.
SR-D92837 · Issue 551004
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D90452 · Issue 551808
SSOPreAuthenticationActivity runs until success
Resolved in Pega Version 8.3.3
When a user visited a public-facing application via a Single Sign-On (SSO) URL that redirected to SAML IDP for authentication, the first time the URL was hit the system correctly executed pySSOPreAuthenticationActivity as part of pre-authentication to determine if authentication is possible/allowed. If the pySSOPreAuthenticationActivity set the pyAuthenticationPolicyResult to 'false', authentication was not allowed: the user was not redirected to the IDP and an error message was shown. However, if the same URL is hit again after that rejection without any changes, the user was redirected to the IDP for authentication because the preauthentication activity was not run again. This has been resolved by updating the system to continue to call the pre-authentication activity for the SSO URL until a success status is returned by the activity.
INC-179761 · Issue 684676
Basic Access Control (BAC) now available in production level 2+
Resolved in Pega Version 8.6.3
An enhancement has been added to enable the Basic Access Control (BAC) feature for production levels 2 or greater. This is a change from being available previously only in levels 4 and 5, and will facilitate diagnosing access control issues earlier in the development process.
INC-182530 · Issue 695761
SAML datapages cleared before new authentication
Resolved in Pega Version 8.6.3
If a previous user had not logged out or timed out when using SAML authentication, a second person using the same device/browser would end up in the first user's session after performing their own authentication. Investigation showed the second login D_SAMLAssertionDataPage was not getting refreshed with the current user login details; this has been resolved by explicitly deleting the SAML Datapages before processing a new login if the session has not timed out.
INC-183485 · Issue 685270
Performance improvement for offline mobile app
Resolved in Pega Version 8.6.3
Performance issues on an offline mobile app were traced to an empty browser fingerprint caused by a declared variable which was not assigned a value. This has been resolved by adding a !pega.offline check for fireDeferredAsyncRequests.
INC-185251 · Issue 674907
Locking APIs updated to handle CDK key rotation
Resolved in Pega Version 8.6.3
it was not possible to save cases for several hours following the CDK key rotation. This was traced to an exception that caused the system to attempt to acquire a lock on the CDK key instance, and normal save behavior would resume after the default sys lock time out period expired. This has been resolved by updating the system to use LockManager APIs to perform a database save with locks.
INC-186395 · Issue 677206
Updating handling for for Pega-supplied operators with MFA
Resolved in Pega Version 8.6.3
When a site is blocking prweb and using prweb/PRAuth for login with MFA enabled, admin user id logins failed and MFA showed the error screen for Pega-supplied users. This was due to MFA verification not being configured for Pega-supplied operators, and has been resolved by adding an Adminstrator condition to skip MFA for for Pega-supplied operators.
INC-186395 · Issue 697875
Updating handling for for Pega-supplied operators with MFA
Resolved in Pega Version 8.6.3
When a site is blocking prweb and using prweb/PRAuth for login with MFA enabled, admin user id logins failed and MFA showed the error screen for Pega-supplied users. This was due to MFA verification not being configured for Pega-supplied operators, and has been resolved by adding an Adminstrator condition to skip MFA for for Pega-supplied operators.