Support Article
Unable to process SAML SSO : Missing Relaystate in IDP response
SA-6527
Summary
SAML SSO stopped working after updating from Pega 7.1.6 to Pega 7.1.7
Error Messages
PegaRules Log:
Unable to process the SAML WebSSO request: Missing Relaystate information in IDP Response
SAML tracer:
Steps to Reproduce
1. Update from Pega 7.1.6 to Pega 7.1.7
2. Login using SSO url.
Root Cause
The root cause of this problem is defect/misconfiguration in the PRPC operating environment. POST request made to AssertionConsumerService activity contains "RelayState" as parameter. Starting from Pega 7.1.7, actual "relaystate URL" is not sent as parameter to POST requests made to AssertionConsumerService activity, instead a randomID is sent over and this change is made to enhance security.
However actual "RelayState" were sent in Pega 7.1.6 and this logic is part of pySAMLWebSSOAuthenticationActivity.
pySAMLWebSSOAuthenticationActivity was modified by the customer in Pega 7.1.6 and hence were using wrong version of this activity in Pega 7.1.7.
Resolution
This issue is resolved through the following local change: Using the right version of pySAMLWebSSOAuthenticationActivity in Pega 7.1.7 resolves the issue, i.e. use pySAMLWebSSOAuthenticationActivity belonging to "Pega-IntegrationEngine:07-10-15" ruleset.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.