Question
Exilant Technologies PVT Ltd
US
Last activity: 12 Oct 2018 5:29 EDT
Pega SAML Request missing RequestedAuthnContext
Hi Team,
I am woking on configuring PEGA with a Identity Provider using SAML2.
I am using PEGA's built in SAML2 Authentication Service Type for this. I configured everything in AuthServices and preweb web.xml.
When PEGA generating request it looked like this.
Pega Request
Hi Team,
I am woking on configuring PEGA with a Identity Provider using SAML2.
I am using PEGA's built in SAML2 Authentication Service Type for this. I configured everything in AuthServices and preweb web.xml.
When PEGA generating request it looked like this.
Pega Request
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://local.com:9080/prweb/PRRestService/WebSSO/SAML/AssertionConsumerService" Destination="https://idp.com/SAMLLogin" ForceAuthn="false" ID="_c3661c772fe55928eaace5f85b93ceea"
IsPassive="false" IssueInstant="2018-05-11T18:28:04.657Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://local.com:9080/prweb/sp/1524078420</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_c3661c772fe55928eaace5f85b93ceea">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>vXWEfFjRmS8Oy1F0zaOhbeRicHo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>****MASKED****</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
Its missing RequestedAuthnContext
Expected Request is
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2e211c5bfc0200fc48819f381f17d56ca0b5c780f"
Version="2.0"
IssueInstant="2013-01-29T21:26:32Z"
*Destination="http://serviceprovider.com/location"
ForceAuthn="false" IsPassive="false"
*ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://serviceprovider.com/location">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">***MASKED***</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="TEST" AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Can anyone please help on how to configure PEGA to add RequestedAuthnContext to SAML Requests ?
Pegasystems Inc.
IN
Please enable DEBUG for below class and attach the pegarules log after hit the SSO url.(Designer studio -> System ->Operations ->Logs -> Logging level settings)
com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils
If AuthnContextClassRef object is null then RequestedAuthnContext will not add to the request, you can know AuthnContextClassRef value in the pegarules log if you enble logger as above.
Pegasystems Inc.
NL
In 7.3.1. update your SAML SSO Authentication Activity (pySAMLWebSSOAuthenticationActivity)
Before the authentication request is generated add a line to add a property-set on AuthService.pySAMLWebSSO to set .pyAuthenticationContext to one of the values provided by its local list, for example "PPT_AUTHN_CTX". See the description field on the property for exact mappings to the oasis values.