Extending SAML v2 Metadata in Pega 7.4
Accepted Solution
Pegasystems Inc.
FR
Pegasystems Inc.
PL
Hi,
Please take a look at the below documents, are describing the configuration for SSO SAML2 authentication:
- https://community.pega.com/knowledgebase/articles/configuring-pega-7-platform-service-provider-sp
- https://community.pega.com/knowledgebase/articles/saml-20-conformance
- https://community.pega.com/knowledgebase/articles/web-single-sign-sso-saml-20
And if you have properly configured SAML feature. Could you please send to us the error msg, logs which allow us to understand the issue that you have.
Thanks,
Lukasz
Pegasystems Inc.
FR
Pegasystems Inc.
IN
Hi
Data-SAMLMetadata-ExtensionsType class is available for extending SAML SP Metadata generated from the rule form.
But we are not able to extend SAML 2.0 auto-generated token from the Authentication Service rule form. No way to find which code is executed even with Tracer.
we are not generating any token from pega end.
Could you please elaborate the use case.
Pegasystems Inc.
FR
Accepted Solution
Pegasystems Inc.
FR
Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.
Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.
You need to use OpenSAML api to add the extension in the authrequest.
for POST binding signature is embedded inside authentication request.
Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.
samlutils.createAuthenticationRequest(myStepPage)
But for Redirect binding it works as signature is computed in generateRedirectURL method.
We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.
String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);
Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):
Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.
Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.
You need to use OpenSAML api to add the extension in the authrequest.
for POST binding signature is embedded inside authentication request.
Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.
samlutils.createAuthenticationRequest(myStepPage)
But for Redirect binding it works as signature is computed in generateRedirectURL method.
We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.
String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);
Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):
//SPECIFIC CODE : Define Extensions xml tag
org.opensaml.saml2.common.Extensions extensions = new org.opensaml.saml2.common.impl.ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "samlp");
org.opensaml.xml.schema.XSAny securityLevel = new org.opensaml.xml.schema.impl.XSAnyBuilder().buildObject(new javax.xml.namespace.QName("http://mynamespaceurl", "SecurityLevel","dacs"));
extensions.getUnknownXMLObjects().add(securityLevel);
securityLevel.setTextContent("0");
org.opensaml.saml2.core.AuthnRequest authnRequest = samlutils.createAuthenticationRequest(myStepPage);
authnRequest.setExtensions(extensions);
requestMessage = samlutils.getSAMLObjectASString( authnRequest);
if(oLog.isDebugEnabled())
oLog.debug("Generated authentication request : " + requestMessage);
}
} catch(Exception e) {
errorMessage = e.getMessage();
tools.putParamValue("ErrorMessage", errorMessage);
nextBlock = "ERR";
}
Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.
Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.
You need to use OpenSAML api to add the extension in the authrequest.
for POST binding signature is embedded inside authentication request.
Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.
samlutils.createAuthenticationRequest(myStepPage)
But for Redirect binding it works as signature is computed in generateRedirectURL method.
We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.
String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);
Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):
Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.
Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.
You need to use OpenSAML api to add the extension in the authrequest.
for POST binding signature is embedded inside authentication request.
Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.
samlutils.createAuthenticationRequest(myStepPage)
But for Redirect binding it works as signature is computed in generateRedirectURL method.
We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.
String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);
Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):
//SPECIFIC CODE : Define Extensions xml tag
org.opensaml.saml2.common.Extensions extensions = new org.opensaml.saml2.common.impl.ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "samlp");
org.opensaml.xml.schema.XSAny securityLevel = new org.opensaml.xml.schema.impl.XSAnyBuilder().buildObject(new javax.xml.namespace.QName("http://mynamespaceurl", "SecurityLevel","dacs"));
extensions.getUnknownXMLObjects().add(securityLevel);
securityLevel.setTextContent("0");
org.opensaml.saml2.core.AuthnRequest authnRequest = samlutils.createAuthenticationRequest(myStepPage);
authnRequest.setExtensions(extensions);
requestMessage = samlutils.getSAMLObjectASString( authnRequest);
if(oLog.isDebugEnabled())
oLog.debug("Generated authentication request : " + requestMessage);
}
} catch(Exception e) {
errorMessage = e.getMessage();
tools.putParamValue("ErrorMessage", errorMessage);
nextBlock = "ERR";
}