INC-126640 · Issue 572264
Updated LDAP operator authentication handling
Resolved in Pega Version 8.4.2
After setting up LDAP authentication in an environment using Robotics which runs on Kerberos and configuring LDAP AD integration with a sAMAccountName [specific to Microsoft AD] attribute for the login, two operators were being created for a single user. Investigation showed this was caused by the operator's pyUserIdentifier being mapped in the LDAP service mapping attribute while the operator ID was using a different attribute (userPrincipalName) which was mapped to .pyUserIdentifier because the Kerberos authentication was done via userPrincipalName. For the first login, an operator was created as per the Search filter field. The next time the user logged in with the same ID, another operator was created using the userPrincipalName as per the mapping defined under the mapping tab. This has been resolved by updating LDAP handling. As part of the resolution, a precedence rule has been introduced which will give the highest precedence to a mapped pyUserIDentifier, then logged in operator name. If pyUserIdentifier is not mapped in authservice, the operator name will be the LDAP login operator name. If pyUserIdentifier is mapped in authservice, the operator name will be the LDAP attribute value which is mapped to pyUserIdentifier. If the mapped ldap attribute name is empty, login will fail. In addition, debugging logs have been added to aid in troubleshooting LDAP issues.
INC-126975 · Issue 574805
BrowserFingerprint generation timing updated
Resolved in Pega Version 8.4.2
When trying to 'Show Conflicts' on any Circumstance Template with CSRF enabled, there was an error on screen, the requestor was killed, and the PDC Client displayed a 'Browser fingerprint: undefined' error. Investigation showed that at the time the request was fired, the browserfingerprint had not yet been generated and hence was returned as undefined. This has been resolved by adding the code to generate the fingerprint before the request is invoked.
INC-128535 · Issue 566316
Exception handling updated for getRunTime
Resolved in Pega Version 8.4.2
After upgrade, a Java step related to API Runtime.getRunTime() was failing to execute UNIX commands in all applications that contained the code. Investigation showed that once the java injection code was detected, the API checkForJavaCodeInjection() reported an exception, but the exception should have been absorbed by the function calling it and was not. This has been resolved by updating the system to not throw the exception for old activities. In addition, an alert was generated for the Pega platform activity SysWebInfo. As this was a false alarm, an update has been made to not report such alerts for Pega platform activities.
INC-129667 · Issue 571681
Handling added for KMS keystore configured as datapage
Resolved in Pega Version 8.4.2
File listener was not starting on all of the nodes if KMS keystore was configured as datapage source. Investigation showed that this was caused by a null pointer error linked to the getAccessGroupFromDataPage method not always returning publicApi. To resolve this, the system has been updated to create the context beforehand and pass that to the getAccessGroupFromDatapage method.
INC-130359 · Issue 573183
JARs updated for Azure Key Vault Integration
Resolved in Pega Version 8.4.2
The Azure SDK jars have been updated to the latest versions to resolve an issue with save errors on the rule form when attempting to add Azure Key Vault as a key store.
INC-130673 · Issue 568211
RuleSecurityMode enhancements added
Resolved in Pega Version 8.4.2
Updates and enhancements have been made for RuleSecurityMode.
SR-D64566 · Issue 547515
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.4.2
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D79181 · Issue 551125
OKTA receives parameters on logout
Resolved in Pega Version 8.4.2
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D90939 · Issue 557309
Handling updated for redirect URI construction
Resolved in Pega Version 8.4.2
The redirect URI for an ODIC authorization request to IDP from Pega was truncated, resulting in an incorrect redirect URI. This was traced to the App alias feature was introduced in 8.4 which appends /app/ to the context URL. While constructing OpenID authorization request, the redirect URI was constructed from current login context. In the process of removing the app alias from the URL, a conflict was seen when the server name contained the word "app" in it. To resolve this, the app alias handling has been updated.
SR-D95501 · Issue 557684
Updated jar supporting SAML login to work with JRE11
Resolved in Pega Version 8.4.2
SO authentication was failing with the exception "Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.apache.commons.ssl.TrustMaterial". That class was packaged with Pega via the not-yet-commons-ssl.jar which is no longer being developed and only works with JRE8. This has been resolved by updating the package to the new not-going-to-be-commons-ssl.jar which has been evaluated for all supported JRE versions.