Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Joydeep Das (JoydeepD4559)
Becton Dickinson

Becton Dickinson
US
JoydeepD4559 Member since 2021 2 posts
Becton Dickinson
Posted: Feb 16, 2021
Last activity: Mar 1, 2021
Posted: 16 Feb 2021 15:31 EST
Last activity: 1 Mar 2021 6:08 EST
Closed

Invoke SAML post SSO as a step up authentication

HI All,

 

We have a requirement where we have to prompt user for user ID and password during submission of  a case. In the current landscape, the Identity provider is only allowing SAML endpoints to validate the user ID credentials. 

 

the challenge is that, the user is already authenticated via sso using SAML. Bt to re-validate the user credentials, SAML cannot be invoked out of the box. 

 

We would like to know if there are any capabilities within PEGA that would help in calling this SAML URL again to validate the user ID and password without interfering with the current user session. 

 

We were exploring if the connect-rest/HTTP can be used but not able to send success request. If anyone has implemented this or has any idea on how the SAML request can be sent on demand without impacting the user session would be great.

 

-Joydeep

***Edited by Moderator Marissa to update Support Case Details***
To see attachments, please log in.
Pega Platform 8.4.4
Security
Other Industry
Lead System Architect
Support Case Exists

Posted: 3 years ago
Posted: 26 Feb 2021 16:45 EST
Chris Koyl (ChrisKoyl)
PEGA
Senior Fellow, Technical Support, Runtime Engine
Pegasystems Inc.
US

@JoydeepD4559

This won’t be possible with our OTB SAML as that is ment to grant access to the application and only triggered when a user is not authenticated.    

You also won’t be able to back channel this with a REST call as the IDP needs to identify the user and a SAML Request doesn’t contain information about the user, it’s the IDP’s job to identify the user not he SP to provide information about the user.

You might get further with a IDP initiated request that the IDP knows to trigger authentication with again. However, with both SP or IDP initiated requests you still have to handle the SAMLResponse, should still be using an AssertionConsumerService, have to prevent replay attacks etc.  This is not a good fit for this.

The IDP is connected to a user store. If might be simpler if you used something like secure LDAPS against that same user store for validating the user credentials in this part of the flow. The underlying usage of SAML it’s really setup for this.

 

 

To see attachments, please log in.
Posted: 3 years ago
Posted: 1 Mar 2021 6:08 EST
Angel Hermira (Angel Hermira)
PEGA
Principal Product Manager, Robotics
Pegasystems Inc.
GB

@JoydeepD4559 , I think what you need is an OAuth service exposed by the IdP. You can call that service to get a token based on valid user and password. If the response is good you proceed with the transaction and reject it otherwise.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice