Question
CBA
IN
Last activity: 24 May 2022 10:29 EDT
Displaying Login Screen for SAML SSO Login
Hi ,
I am working on a SAML SSO configuration . Below is the configuration at our side
Service Provider is Pega -> Reverse Proxy -> IDP(AAD )
I am facing an issue : when IDP trigger a request to access the application it is pointed to Pega Login page not to the User Portal .
Relay State URL which we receive from IDP as Saml Response is the DNS set by ReverseProxy and which in turn is redirected to the actual Authentication service url (https://(host)/prweb/xx. But the UI displayed to Thirdparty is Pega Login Screen not the Portal .
What Pega send back as message is
"Since your browser does not support JavaScript, you must press the Continue button once to proceed. "
This is set from the Pega OOTB HTML code invoked from assertion service activity .
Even after trying from Chrome too it is same.
We tried login manually but still it is redirected to Login Page .
Pega version what we are using is 7.3
Do we need to change anything in Web proxy side ? web.xml other than x forwarded host setting ?
If any one faced the similar issue request you to help .
Please reply to this .
Thanks
***Edited by Moderator Marije to add Support Case Details***
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Accepted Solution
Updated: 24 May 2022 10:29 EDT
Pegasystems Inc.
GB
@MAMATHAP this type of issue will need a more in-depth investigation.
Please can you log a support INC so that our support team can help you troubleshoot the problem? When you log the ticket please be sure to provide:
- the full configuration screenshots of the users, configuration files and activity parameters involved.
- details when the authentication service last worked correctly and any changes
- the full pega and network logs when tracing the issue.
Please provide me with the incident number once you have logged it so that we can help track it.
CBA
IN
If any one came across the same. Please help.
Pegasystems Inc.
GB
@MAMATHAP did you already try the suggestions from other posts?
https://collaborate.pega.com/question/url-redirection
The error you describe appears to e an error response from your iDP provider
In past support incidents we have seen occasions where clients needed to add RequestedAuthnContext element by setting the values of the pyAuthenticationContext property
ie IDP is requiring extra parametesr when using HTTP-POST method for the AuthnRequest.
For example:
Extra parameters can be added to the following HTML Rule:
Data-Admin-Security-SSO-SAML.pyPostAuthenticationRequest
@MAMATHAP did you already try the suggestions from other posts?
https://collaborate.pega.com/question/url-redirection
The error you describe appears to e an error response from your iDP provider
In past support incidents we have seen occasions where clients needed to add RequestedAuthnContext element by setting the values of the pyAuthenticationContext property
ie IDP is requiring extra parametesr when using HTTP-POST method for the AuthnRequest.
For example:
Extra parameters can be added to the following HTML Rule:
Data-Admin-Security-SSO-SAML.pyPostAuthenticationRequest
<html> <body onload="document.forms[0].submit()"> <noscript> <p> <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed. </p> </noscript> <form action="<%=StringUtils.urlCrossScriptingFilter(tools.getParamValue("Destination"))%>" method="post"> <div> <input type="hidden" readonly name="<PARAM_NAME>" value="<PARAM_VALUE>"/> <input type="hidden" readonly name="RelayState" value="<%=StringUtils.urlCrossScriptingFilter(tools.getParamValue("RelayState"))%>"/> <input type="hidden" readonly name="SAMLRequest" value="<%=StringUtils.urlCrossScriptingFilter(tools.getParamValue("Base64EncodedSAMLAuthnRequest"))%>"/> </div> <noscript> <div> <input type="submit" value="Continue"/> </div> </noscript> </form> </body> </html>
------------------------
Could you go through the below document?
I would also suggest you check the available articles here:
https://community.pega.com/search/archive?q=idp%20SSO
CBA
IN
@MarijeSchillern Hi Thanks for replying to my post.
My Pega version is 7.3
The error which I am getting is the one we are sending as response .This is set from the SAML Assertion OOTB Activity . This I could find from the logs .But to IDP Pega login screen is displayed not portal .
I have gone through those documents before.
ie IDP is requiring extra parametesr when using HTTP-POST method for the AuthnRequest.
This parameter should be set from IDP? . IDP is AAD in our case can they set it from their side ?
What does that parameter do from pega ? Please elaborate .
Thanks
Mamatha
Accepted Solution
Updated: 24 May 2022 10:29 EDT
Pegasystems Inc.
GB
@MAMATHAP this type of issue will need a more in-depth investigation.
Please can you log a support INC so that our support team can help you troubleshoot the problem? When you log the ticket please be sure to provide:
- the full configuration screenshots of the users, configuration files and activity parameters involved.
- details when the authentication service last worked correctly and any changes
- the full pega and network logs when tracing the issue.
Please provide me with the incident number once you have logged it so that we can help track it.
CBA
IN
@MarijeSchillern Hi ,
When I checked the logs -I found the Authentication activity is causing PEGA0001 alert .
HTTP interaction has exceeded the elapsed time alert threshold of 1000 ms: 2165 ms .
Any idea how to fix this ?
Updated: 2 Feb 2022 6:49 EST
Pegasystems Inc.
GB
@MAMATHAP This type of troubleshooting for a specific application configuration problem goes beyond discussions on this forum.
Please can you log a support ticket for this and give us the INC id?
CBA
IN
@MarijeSchillern Hi I have created an SR ticket from friends id as I don't have access .
Please find the ticket ID INC-210135 .
Thanks
Mamatha
-
Marije Schillern
Updated: 30 Mar 2022 6:09 EDT
Pegasystems Inc.
GB
@MAMATHAP ticket INC-210135 had to be closed as the support engineer had no more response from you.
If you do need further help, please log a new support incident, and make sure that you add the SAML tracer to chrome which was available in the chrome web store.
After adding it start the saml tracer and try to reproduce the issue and share us the saml tracer file.