Assertion Consumer service URL for SAML in a IAC set up
Hi All,
Pega is embedded into a webpage as we web mashup (IAC gadget).
We are using SAML for SSO.Login (SSO) protocol binding is REDIRECT-ARTIFACT
Question - Pega receives the assertion token from idp via browser redirect using the assertion consumer service. Should the assertion consumer service URL be gateway URL or application server URL?
http://<<Gateway / Application server>>/prweb/PRRestService/WebSSO/SAML/AssertionConsumerService
If this is a gateway URL, what should be the format?
Regards,
Muthu
-
Like (0)
-
Accepted Solution
Hi,
The SAML exchange happens between the Pega and the IDP and gateway is unaware of the SAML exchange. Hence the ACS url should be Pega URL and not the IAC gateway URL.
Thanks,
Giridhar
Hi Muthu,
Assertion Consumer Service (ACS) should specify Service Provider ACS location URL. For new authentication service instances, this field is auto-populated with the out-of-the-box ACS REST service URL. Can be manually edited. The URL generated ACS location use the hostname and port of the PRPC URL you are connected to at the time you have created the AuthService. Below is the sample.
Thanks Supraja, Yes, as you have said, this URL is pre-populated with the rest endpoint based on the server i am connected to. This URL is also editable.
My question is, When SAML is used with IAC, Should this be a gateway URL? In other words, When idp returns the assertion using a browser redirect, can it directly use the load balanced application server URL or should it go through IAC gateway?
Hi Muthu,
Since you are using SAML with IAC, ACS URL should be IAC gateway URL.
Sample Gateway URL : http://host.domain.com:port/prgateway/PRPCGateway
https://pdn.pega.com/setting-gatewayurl-configuration-parameter
Thanks Supraja,
When i use http:// Application server/prweb/PRRestService/WebSSO/SAML/AssertionConsumerService on my browser i get "Unable to process the SAML WebSSO request : 1". I guess this is expected as the SAML assertion request is invalid. But it proved the point that the service is invoked.
Now, when i use the gateway format to invoke the service via IAC using URL https://Gateway/prgatewayweb/PRPCGateway/PRRestService/WebSSO/SAML/AssertionConsumerService
I get a 'null'
Shouldn't i bee getting the same error as using app server url?

Pega Chargers, can you shed any insights on this? While this should work, I am not sure if anyone has tested/verified the setup.

Hi Kevin,
We tried to used https://<<hostname>>:8443/prgatewayweb/PRRestService/WebSSO/SAML/AssertionConsumerService . But we get a 404 error and it appears link the browser is not bale to reach the rest service.
Regards,
Muthu
I believe it should be the Gateway URL ,as Gateway acts like a proxy to the actual PRPC node and i think PRPC node cannot be accessed directly and all services needs to go though the gateway.
Tagging Giridhar Ramadhenu to provide more context to this.
Accepted Solution
Hi,
The SAML exchange happens between the Pega and the IDP and gateway is unaware of the SAML exchange. Hence the ACS url should be Pega URL and not the IAC gateway URL.
Thanks,
Giridhar