Question
Wellcare
US
Last activity: 17 Sep 2019 9:43 EDT
Invalid Division for Operator on accessing the SSO url
Hi Team, Iam trying to implement SSO using SAML in Pega 8.2.1. I have configured the url in our identity. For the Operator identification, i tried both Name identifier in the subject and Attribute. But iam always getting the below error in the logs
2019-09-12 15:16:56,089 [ default task-3] [ STANDARD] [ ] [ PE:01.01.01] ( internal.util.PRSAMLv2Utils) DEBUG dumlgapst01| Proprietary information hidden|RelayStateID: d5fb7bb1-6aca-4034-b3b3-e728c3b7cb50 :RelayStateID - Converting SAML string received to SAML object 2019-09-12 15:16:56,111 [ default task-3] [ STANDARD] [ ] [ PE:01.01.01] (.authentication.Authentication) ERROR dumlgapst01| Proprietary information hidden - Invalid Division for Operator:
(.authentication.Authentication) ERROR dumlgapst01| Proprietary information hidden - Invalid Division for Operator: IT
***Moderator Edit-Vidyaranjan: Updated Platform Capability***
Accepted Solution
Wellcare
US
Pegasystems Inc.
US
This exception occurs after a lookup and the Division returned is null.
Does the "IT" division exist in Pega?
Is there any chance the operator has an existing record that can be deleted to change the behavior - as a debugging step at least?
Wellcare
US
Hi Paul, Its not even reading the attribute parameter for the operator from SAML. I have choosen name and attribute, but it was unable to read the operator from saml. That why in the log, its giving the below message when i dont select "Enable operator provisioning using model operator".
Unable to process the SAML WebSSO request : Unable to derive operator from SAML assertion
If i select, "Enable operator provisioning using model operator", then its throwing the message
Invalid Division for Operator: IT
Pegasystems Inc.
US
Hi,
For this issue you need to get the SAMLResponse being sent to PRPC. You have debug on so you probably have the Base64 encoded value for the SAMLResponse in our logs, don't post it here please. You just need to decode that and then look at where the operator id reference really is, NameID or an attribute. You wouldn't use an attribute unless you know the attribute being used.
--Chris
Wellcare
US
Hi Chris, I traced the SAML response and all the attributes and NameID exist in the saml response. Its getting the operator from saml and a validation in Pega out of box code is throwing error which says invalid division. Iam just checking if any faced this issue and got a resolution.
I checked my org, div and unit rules and everything looks ok.
Thanks,
Veera
Accepted Solution
Wellcare
US
This issue has been resolved by using the NameID and model operator as reference "By Organization hierarchy" You dont need to provide any pre and post activities in latest versions. But inorder to build the access groups from the roles retruned from idp, we need an post activity.
This loop can be closed.
Pegasystems Inc.
IN
Thank you! We have marked this post as Answered.
This issue has been resolved by using the NameID and model operator as reference "By Organization hierarchy" You dont need to provide any pre and post activities in latest versions. But inorder to build the access groups from the roles retruned from idp, we need an post activity.
This loop can be closed.