Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Atanu Sen (Atanu Sen)
IKOR PX
Principal Architect
IKOR PX
AU
Atanu Sen Member since 2013 8 posts
IKOR PX
Posted: Mar 27, 2021
Last activity: Apr 7, 2021
Posted: 27 Mar 2021 8:36 EDT
Last activity: 7 Apr 2021 3:19 EDT
Closed

cLSA Security Excellence webinar - SAML 2.0

Pega SAML 2.0 FlowStep 5 needs to return to the node from where Step 1 was initiated. The question is we do not have a user session yet, so why do we need session affinity at this point. We are using Pega 8.3 and if the SAML response is not redirected to the node from where the request was initiated, it fails. 

To see attachments, please log in.
Pega Platform 8.3
Case Management
Cross-Industry
Lead System Architect

  • Vachan Chauhan
Posted: 3 years ago
Posted: 29 Mar 2021 12:13 EDT
James Sleightholm (sleij)
PEGA
Principal Solutions Architect
Pegasystems Inc.
CH

Session Affinity is established at step 8 when the Pega-RULES cookie is issued. The Load Balancer should then ensure affinity based on the Pega-RULES cookie. The AssertionConsumer response at step 5 can be processed by any webuser node. I don't think your SAML response can be failing because of the webuser node it is being processed on. There are multiple reasons why a SAML response will not result in successful authentication. I have not observed the pattern you are mentioning.

To see attachments, please log in.
Posted: 3 years ago
Posted: 31 Mar 2021 9:29 EDT
Atanu Sen (Atanu Sen)
IKOR PX
Principal Architect
IKOR PX
AU

@sleij - Thanks for the response James. That is what we thought but it only works when it goes to the same node from where the request was initiated. Any known bugs w.r.t to this in the version 8.3.0 we are on? Could you suggest some things we should check in our configuration?

-Atanu 

To see attachments, please log in.
Posted: 3 years ago
Updated: 3 years ago
Posted: 1 Apr 2021 5:23 EDT
Updated: 1 Apr 2021 5:24 EDT
Atanu Sen (Atanu Sen)
IKOR PX
Principal Architect
IKOR PX
AU

@sleij I did a fact finding mission with Pega Engineer Julius Li, and indeed Pega SAML implementation creates a session when SAML Authentication is initiated and requires Step 5 to return to this session for it to work. So session affinity is required even before user is authenticated and user session is created in Step 8. Other SAML implementations I have seen do not work like this, and are stateless till the user session is created. You may want to talk to the product team about this and fix the implementation.  

To see attachments, please log in.
Posted: 3 years ago
Posted: 7 Apr 2021 3:19 EDT
Dion Lammers (DionLammers)
PEGA
Partner Success Tech Lead - EMEA
Pegasystems Inc.
NL

@Atanu Sen

Hi Atanu, 

I dont believe the Pega SAML implementation works any different to other technologies. If you havent done already could you please create an SR and provide the logs. There is no logical reason for a difference in processing the SAML response based on node. They should be able to process this further and work with the product teams to get any potential issue resolved. 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice