Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

10
Replies
3074
Views
Muthu Member since 2013 7 posts
ING NV
Posted: May 26, 2016
Last activity: Jul 28, 2016
Closed
Solved

Assertion Consumer service URL for SAML in a IAC set up

Hi All,

Pega is embedded into a webpage as we web mashup (IAC gadget).

We are using SAML for SSO.Login (SSO) protocol binding is REDIRECT-ARTIFACT


Question - Pega receives the assertion token from idp via browser redirect using the assertion consumer service. Should the assertion consumer service URL be gateway URL or application server URL?

http://<<Gateway / Application server>>/prweb/PRRestService/WebSSO/SAML/AssertionConsumerService

If this is a gateway URL, what should be the format?

Regards,

Muthu

To see attachments, please log in.
Security

Accepted Solution

Posted: 8 years ago

Hi, 

 

The SAML exchange happens between the Pega and the IDP and gateway is unaware of the SAML exchange. Hence the ACS url should be Pega URL and not the IAC gateway URL.

 

Thanks,

Giridhar

To see attachments, please log in.
Posted: 8 years ago

Hi Muthu,

 

Assertion Consumer Service (ACS) should specify Service Provider ACS location URL. For new authentication service instances, this field is auto-populated with the out-of-the-box ACS REST service URL. Can be manually edited. The URL generated ACS location use the hostname and port of the PRPC URL you are connected to at the time you have created the AuthService. Below is the sample.

Capture.PNG

To see attachments, please log in.
Posted: 8 years ago

Thanks Supraja, Yes, as you have said, this URL is pre-populated with the rest endpoint based on the server i am connected to. This URL is also editable.

My question is, When SAML is used with IAC, Should this be a gateway URL? In other words, When idp returns the assertion using a browser redirect, can it directly use the  load balanced application server URL or should it go through IAC gateway?

To see attachments, please log in.
Posted: 8 years ago

Thanks Supraja,

When i use http:// Application server/prweb/PRRestService/WebSSO/SAML/AssertionConsumerService on my browser i get "Unable to process the SAML WebSSO request : 1". I guess this is expected as the SAML assertion request is invalid. But it proved the point that the service is invoked.

Now, when i use the gateway format to invoke the service via IAC using URL https://Gateway/prgatewayweb/PRPCGateway/PRRestService/WebSSO/SAML/AssertionConsumerService

I get a 'null'

Shouldn't i bee getting the same error as using app server url?

To see attachments, please log in.
Posted: 8 years ago

I believe it should be the Gateway URL ,as Gateway acts like a proxy to the actual PRPC node and i think PRPC node cannot be accessed directly and all services needs to go though the gateway.

Tagging Giridhar Ramadhenu to provide more context to this.

To see attachments, please log in.

Accepted Solution

Posted: 8 years ago

Hi, 

 

The SAML exchange happens between the Pega and the IDP and gateway is unaware of the SAML exchange. Hence the ACS url should be Pega URL and not the IAC gateway URL.

 

Thanks,

Giridhar

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice