Is there a simple way to verify that the authentication profile is correctly configured?

Question

Replies

990

Views

AleMax225

Member since 2020

24 posts

Corner SA

Posted: Jan 24, 2024

Last activity: Jan 29, 2024

Closed

Is there a simple way to verify that the authentication profile is correctly configured?

Report

In the last month we are adopting the OAuth 2.0 mechanism to authenticate Pega towards the other systems and for that we are using an Authentication Profiles configured for Keycloak as in the following image

Authentication Profiel configuration

The big issue that we had in all the environment was testing the connection and in particular the authentication towards Keycloak (check if the clientid and the password are correct). In fact we were not able to effectively debug the authentication problems, i.e. if the authentication error was sent to us by keyclock or by the external system.

Is there a way to easily DEBUG these situations?

Is there a simple way to check the authentication of Pega towards Keycloak?

To see attachments, please log in.

Pega Platform 8.7.6

Pega Platform

Security

Lead System Architect

Likes (1)

Posted: 1 year ago

Updated: 1 year ago

SUMAN_GUMUDAVELLY

Ford Motor Company

replied to AleMax225

Report

@AleMax225

Debugging OAuth 2.0 authentication issues when Keycloak is the Identity Provider (IdP) for Pega's Single Sign-On (SSO) process involves checking configurations on both the Pega platform and Keycloak.

I see you are using Authentication Profile as OAuth 2.0 and if I'm not wrong, you are calling this authentication part of an Initial SSO Activity. But,Keycloak can also authenticate users with existing OpenID Connect or SAML 2.0 Identity Providers. If possible, I would suggest to relay on Pega's Authetication Rules [ Instance of DATA-ADMIN-AUTHSERVICE] instaed of configuring Authentication outside and utilizing the Custom Code. Using native Authentication rules will help you not only to Authenticate but also help you to Authorize the Users be it in the Post Authentication activity or through Mapping tab [Provide mapping to map identity information to custom properties.]

Here's how to approach debugging in this scenario:

@AleMax225

Debugging OAuth 2.0 authentication issues when Keycloak is the Identity Provider (IdP) for Pega's Single Sign-On (SSO) process involves checking configurations on both the Pega platform and Keycloak.

Here's how to approach debugging in this scenario:

Keycloak Configuration Clients Configuration: In Keycloak, ensure that the Pega application is set up as a client correctly. Check the client ID, client secret, and the redirect URIs. Valid Redirect URIs: Ensure that the redirect URIs in Keycloak match those configured in Pega. Any mismatch can cause failures. Roles and Scopes: Verify that the roles and scopes are correctly configured and assigned to the Pega client in Keycloak. Protocol Mappers: Check the protocol mappers in Keycloak to ensure that claims like username, email, etc., are mapped correctly and will be sent to Pega. Keycloak Logs: Enable logging in Keycloak to trace the authentication requests and responses. Look for any error messages that might indicate what is going wrong.

Pega Configuration Authentication Profile: Verify that the OAuth 2.0 authentication Profile in Pega is correctly configured with the Keycloak endpoints for authorization, token, and user info (if applicable). Client Credentials: Double-check the client ID and client secret in the Pega OAuth 2.0 authentication profile configuration. Attribute Mapping: Ensure that the attributes returned by Keycloak are correctly mapped to the corresponding Pega operator properties. SSL/TLS: If Keycloak is using HTTPS, ensure that Pega trusts Keycloak's SSL certificate. You might need to import Keycloak's certificate into Pega's truststore.

Debugging Steps Trace Requests: Use tools like Fiddler, Wireshark, or browser developer tools to trace the HTTP requests and responses between Pega, Keycloak, and the browser. Browser Extensions: Use Chrome Web Store [Extensions] for tools like SAML, WS-Federation and OAuth 2.0 tracer 4.3.1 to trace and decode all SAML, WS-Federation and OAuth 2.0 (OIDC) messages

Pega Logs: Increase the logging level for OAuth and authentication classes within Pega (steps are listed below) to capture detailed information about the OAuth flow. - Navigating to `Designer Studio > System > Operations > Logs` and adjusting the logging level for authentication services. - Look for the relevant classes such as 'com.pega.pegarules.integration.engine.internal.auth.oidc.OIDCClientHandler' , `com.pega.pegarules.integration.engine.internal.services.oauth2.OAuth2Service`, `com.pega.pegarules.session.internal.mgmt.authentication`, and others related to OAuth and SSO.

Tracer Tool: Utilize Pega's Tracer tool to trace the execution of rules, especially those related to authentication and OAuth processing. Session and Cookie Management: Check if the browser correctly handles session cookies set by Keycloak and Pega during the authentication flow. Keycloak Realm Settings: Make sure that the realm settings in Keycloak, including client session and SSO session settings, are compatible with your Pega SSO setup.

General Debugging Tips Error Messages: Pay close attention to any error messages in the browser, Pega logs, or Keycloak logs. They often provide the first clue to the root cause of the issue. Redirect URIs: Ensure that all redirect URIs are listed in both Keycloak and Pega configurations and that they match exactly, including trailing slashes if any. Access Tokens: If the access token is obtained but not accepted by Pega, verify its structure and whether Pega can validate it correctly against Keycloak's public key. Token Introspection: If Pega is performing token introspection, check that this endpoint is properly configured in Pega and that Keycloak is responding appropriately.

Keycloak Realm and Client Specific Debugging Test Users: Create a test user in Keycloak with a known set of attributes and attempt to log in through Pega to see if the attributes are passed along as expected. Client Scopes: Review the client scopes assigned to the Pega client in Keycloak and ensure they include all necessary roles and claims.

--------------- Here's a step-by-step guide to help you debug the process: [ If you configure Pega OOTB Authentication Service Rule]

### 1. Enable Logging Before you start, enable detailed logging for the authentication service and related classes. In Pega, you can do this by:

- Navigating to `Designer Studio > System > Operations > Logs` and adjusting the logging level for authentication services. - Look for the relevant classes such as 'com.pega.pegarules.integration.engine.internal.auth.oidc.OIDCClientHandler' , `com.pega.pegarules.integration.engine.internal.services.oauth2.OAuth2Service`, `com.pega.pegarules.session.internal.mgmt.authentication`, and others related to OAuth and SSO.

### 2. Check Configuration Ensure that your OAuth 2.0 configuration is correct:

- Verify that the client ID and client secret are correctly inputted. - Make sure the authorization endpoint, token endpoint, and user information endpoint URLs are correct. - Confirm that the correct scopes are being requested. - Check that redirect URIs are correctly configured and match what is registered in the OAuth provider.

### 3. Inspect Initial Request When a user initiates the login process, ensure that the initial OAuth request to the authorization server is correctly formed:

- Check for the correct query parameters like `response_type`, `client_id`, `redirect_uri`, `scope`, etc. - If possible, use a tool like Fiddler or Wireshark to capture the HTTP requests and responses to confirm they are correctly structured.

### 4. Review Authorization Server Response Look at the response from the authorization server:

- If there are errors in the response, they will usually contain an error description that can guide you to the issue. - Ensure that the authorization code is being received (if using the authorization code flow).

### 5. Trace the Token Exchange If the authorization code is received, the next step is to exchange it for an access token:

- Verify that the token request includes the correct parameters such as `grant_type`, `code`, `redirect_uri`, `client_id`, and `client_secret` (if required). - Examine the response from the token endpoint for any errors.

### 6. Check Access Token Usage Once an access token is obtained, ensure it's used correctly:

- Look for the access token in the subsequent requests to the resource server. - Check if the token is being passed in the correct format (usually in the Authorization header as a Bearer token).

### 7. Verify User Information Retrieval If your OAuth 2.0 flow retrieves user information from the provider:

- Confirm that the request for user information includes the access token. - Inspect the response to ensure that the necessary user information is being returned and correctly parsed by Pega.

### 8. Analyze Pega Authentication Service Review the Pega authentication service configuration:

- Make sure the authentication service is correctly configured to handle the OAuth 2.0 process. - Check if the mapping of attributes from the user information to Pega's operator ID is correct.

### 9. Use the Tracer Tool Pega provides a Tracer tool which can be used to trace the execution of rules:

- Use the Tracer tool to follow the authentication process step-by-step. - Look for any failures or exceptions that occur during the process.

### 10. Review Session and Cookie Management Ensure that session management and cookie configuration are not causing issues:

- Confirm that the cookies are being set and sent correctly. - Look into any cross-domain issues that may prevent cookies from being properly managed.

### 11. Check Third-Party Identity Provider Logs If possible, check the logs from the third-party OAuth 2.0 provider to see if there are any clues to the issue:

- Look for any failed authentication attempts and the associated reasons.

Show Less

To see attachments, please log in.