Support Article
Issues with SAML 2.0 authentication service configuration
SA-3274
Summary
Issues faced SAML (Security Assertion Markup Language) 2.0 authentication service configuration in Pega 7.1.6.
Error Messages
2014-10-28 14:12:25,631 [http-bio-8443-exec-9] [ STANDARD] [ ] [ PegaRULES:07.10] ( internal.mgmt.Executable) ERROR ABCD-1|127.0.0.1|Rest|WebSSO|SAML|DemoService|AF421F9F57ACA0E039507FC6C10A66C35 - Activity name not specified for execution in arguments: {pyClassName=Data-Admin-Security-SSO-SAML, pxObjClass=Rule-Obj-Activity, pyActivityName=}
java.lang.IllegalArgumentException
Steps to Reproduce
Hit the IdP SSO URL.
Root Cause
Several issues were uncovered during investigations:
- RelayToken value is empty in the SAML Response
- Creation of Authentication Service rule: name is not same as in predefined mapped ones.
- Verification certificate was not in place in IdP information of the user environment
- IdP issuer metadata entity ID and URL from response is not matching.
Resolution
- Maintain Authentication service rule name as SAMLAuth to make use of existing mapping of web.xml (sso), using the following PRPC SSO URL: https://hostname/prweb/sso
- Upload keystore which has a valid certificate. Verification certificate will be in place.
- From Pega 7.1.7, both POST and GET binding are supported.
- Since there is a limitation with Pega 7.1.6, make use of IdP initiate mechanism. To implement this, hardcode RelayState parameter in IdP SSO URL as shown below.
IdP SSO URL : https://IDPServiceHost/affwebservices/public/saml2sso?SPID=pegatest01&RelayState=/prweb/sso
In this approach, SAML token is generated and validated with PRPC.
Issuer IdP entity URL matches in Authentication Service and metadata of IdP.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.