Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Santanu Mandal (SantanuMan)
Cognizant

Cognizant
IN
SantanuMan Member since 2008 11 posts
Cognizant
Posted: May 4, 2020
Last activity: Jul 22, 2020
Posted: 4 May 2020 14:37 EDT
Last activity: 22 Jul 2020 10:12 EDT
Closed

Configuring error message for SAML2.0 based SSO

Dear Experts,

We have configured SAML2.0 based Authentication Service for Single Sign-On. ADFS is used as IDP. The SSO authentication is working properly. However we are unable to display custom error message if authorization fails. I am looking for your help and suggestion for following items. 

1. During SSO authentication we are checking whether the ID is part of a particular AD group. If they aren't part of the AD Group then login will be denied. We are able to achieve this part but on screen we aren't able to display a custom message. We are always getting default error message. Can you please let me know if we can show custom message in this scenario?

2. If Login fails we want to redirect to a different page. Is it possible to redirect to a different web-page during SSO authentication?

We are on 8.3.2 and OOTB SAML2.0 based SSO is used. Automatic operator provisioning is enabled using data transform.

To see attachments, please log in.
Pega Platform 8.3.2
Security
Financial Services
Lead System Architect

Posted: 4 years ago
Posted: 13 May 2020 7:28 EDT
Shasi Yarram (mitrs)
PEGA
Fellow, Software Architect, Services Engineering
Pegasystems Inc.
IN

Hi,

Are you checking the validation "not part of particular AD group" as part of the post authentication activity policy? 

To see attachments, please log in.
Posted: 4 years ago
Posted: 13 May 2020 8:30 EDT
Siva Sankara Rao Dodla (SivaDodla)
cognizant
Siva Sankara Rao Dodla
cognizant
US

Hi Team,

we are trying to write any code on the post-authentication activity . we are getting the Policy filed issue. what we are trying here the positive scenario is working fine. when ADFS team not sending any AG group attributes we need to stop the screen and put some Error Message. This part we are not able to achieve and not able to redirect the screen also. We are doing all this from the Data Transform. when the negative scenario we are seeing this Error Message "Unable to process the SAML WebSSO request : Unable to derive operator from SAML assertion"

 

please let me know if you need any more details.

 

To see attachments, please log in.
Posted: 4 years ago
Posted: 13 May 2020 10:25 EDT
Santhosh Bagannagari (bagas)
Pegasystems Inc.
Tech Lead, Security Engineering
Pegasystems Inc.
IN

Hi,

Did you try with customizing the html rule "DATA-ADMIN-SECURITY-SSO-SAML!PYSHOWERRORMESSAGE" in unathenticated context RuleSet ?

You can try with adding redirects too.

Thanks,

Santhosh

To see attachments, please log in.
Posted: 4 years ago
Posted: 13 May 2020 11:56 EDT
Siva Sankara Rao Dodla (SivaDodla)
cognizant
Siva Sankara Rao Dodla
cognizant
US

Hi Santhosh, today morning i worked with pega team and modified the below rule . Now it's working fine . we check another option how we need to redirect to other login screen . i will keep update the post . thank you 

DATA-ADMIN-SECURITY-SSO-SAML!PYSHOWERRORMESSAGE"

 

 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice