INC-164336 · Issue 634151
URL validation updated to handle custom token endpoints
Resolved in Pega Version 8.7
While saving an authentication profile with OAuth details, validation was failing for a valid URL given in the access token endpoint and revoke token endpoint fields. This was traced to the use of the Apache URL validator, which considered some domains to be invalid. To resolve this, the urlvalidator constructor has been updated to include a custom RegexValidator for access token and refresh token URLs.
INC-168837 · Issue 646972
CSRF token updated for use with OKTA login
Resolved in Pega Version 8.7
An issue seen while connecting via OKTA has been resolved by updating the CSRF token validation for use with IDP initiated SSO login.
INC-169186 · Issue 655537
Disconnect button availability extended
Resolved in Pega Version 8.7
A case was not refreshing when the disconnect button was selected while using the standard section for authorization grant type authentication. This was traced to a query executed to find a div with attribute pzInsHandle, but that attribute was not applicable in the user portal. To support this use, the query has been extended to be applicable for user portal (attribute data-ui-meta) and Dev Studio landing page.
INC-169310 · Issue 649714
Cache check added for SQL queries
Resolved in Pega Version 8.7
When performing load testing, a high number of gets were seen for some SQL Queries. In order to improve performance, a check has been added in GlobalTrustStoreCacheImpl.java to assess whether the cache has been initialized or not.
INC-170423 · Issue 648985
Added catch for SAML WebSSO duplicate key exception
Resolved in Pega Version 8.7
After logging in from SSO, closing the Pega window and opening it again resulted in the error "Unable to process the SAML WebSSO request : Violation of PRIMARY KEY constraint. Cannot insert duplicate key in object." This has been resolved by updating the session index handling and adding a catch for the duplicate key exception.
INC-170671 · Issue 645236
Encryption key handling updated for update activities
Resolved in Pega Version 8.7
The platform update activity generated the message "FATAL ERROR: Found exception running import: Unable to import file because the security token included in the request is invalid." Investigation traced this to the generation of the CDK occurring within a commit, which completed the transaction early. This has been resolved by updating the handling for the CDK key during BLOB encryption call.
INC-171875 · Issue 653892
Skip restored for browser request CSRF token
Resolved in Pega Version 8.7
Many SECU0008 alerts were seen in the production logs. This was the result of a CSRF token check on requests without pyActivity or pyStream, and has been resolved by restoring a conditional skip of the check as those other browser requests do not contain a CSRF token.
INC-172874 · Issue 654366
AccessGroup timeout restores session on relogin
Resolved in Pega Version 8.7
When using Platform Authentication AuthService with "Use AccessGroup Timeout", a timed-out user who logged back in saw all open rule tabs were lost and any changes to checked out rule were not saved. Investigation showed that the URL for the redirected login screen did not have a slash at the end of the path of the app alias, causing it to not maintain a cookie path and instead start a new session on login. This has been resolved by adding the missing slash after the app alias in both the Ajax response and SecurityUtils to avoid creating a new session with a new requestor when logging in again after timeout.
INC-173294 · Issue 650237
Mobile "Forgot Password" supports circumstanced rule
Resolved in Pega Version 8.7
An enhancement has been added to support a circumstanced rule for the "Forgot Password" flow on mobile.
INC-173886 · Issue 664142
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.7
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.