Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Djibril Ndoye (ndoyd)
PEGA
Innovation Technical Director
Pegasystems Inc.
FR
ndoyd Member since 2011 8 posts
PEGA
Posted: Jan 10, 2019
Last activity: Mar 6, 2019
Posted: 10 Jan 2019 12:22 EST
Last activity: 6 Mar 2019 6:53 EST
Closed
Solved

Extending SAML v2 Metadata in Pega 7.4
Hi All, Pega 7.4 has introduced a faster way to set up authentication service with a "no-code" approach. We're looking at extending generated SAML v2 Message with additional xml tags such as ExtensionType with new attributes and elements. We've tried extending existing Data-SAMLMetadata-ExtensionsType class with additional properties which were added to the XML Stream rule. It's not working so far. Tracing the session doesn't help as no specific OOTB activity seems to be executed. Looks like all in java. Any idea to achieve this extension will be helpful. Which rule to update to add the extension ? Thanks, Kind Regards, Djibril Ndoye
To see attachments, please log in.
Pega Platform
Security

Accepted Solution

Posted: 5 years ago
Posted: 6 Mar 2019 6:52 EST
Djibril Ndoye (ndoyd)
PEGA
Innovation Technical Director
Pegasystems Inc.
FR

Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.

Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.

You need to use OpenSAML api to add the extension in the authrequest.

for POST binding signature is embedded inside authentication request.

Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.

samlutils.createAuthenticationRequest(myStepPage)

 

But for Redirect binding it works as signature is computed in generateRedirectURL method.

We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.

String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);

Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):

Show More

Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.

Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.

You need to use OpenSAML api to add the extension in the authrequest.

for POST binding signature is embedded inside authentication request.

Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.

samlutils.createAuthenticationRequest(myStepPage)

 

But for Redirect binding it works as signature is computed in generateRedirectURL method.

We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.

String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);

Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):

//SPECIFIC CODE  : Define Extensions xml tag
org.opensaml.saml2.common.Extensions extensions = new org.opensaml.saml2.common.impl.ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "samlp");
        org.opensaml.xml.schema.XSAny securityLevel = new org.opensaml.xml.schema.impl.XSAnyBuilder().buildObject(new javax.xml.namespace.QName("http://mynamespaceurl", "SecurityLevel","dacs"));
        extensions.getUnknownXMLObjects().add(securityLevel);
        securityLevel.setTextContent("0");

org.opensaml.saml2.core.AuthnRequest authnRequest = samlutils.createAuthenticationRequest(myStepPage);
    authnRequest.setExtensions(extensions);
        requestMessage = samlutils.getSAMLObjectASString( authnRequest);
        if(oLog.isDebugEnabled())
            oLog.debug("Generated authentication request : " + requestMessage);            
    }
} catch(Exception e) {    
    errorMessage = e.getMessage();
    tools.putParamValue("ErrorMessage", errorMessage);
    nextBlock = "ERR";
}


Show Less
To see attachments, please log in.
Posted: 6 years ago
Posted: 14 Jan 2019 9:20 EST
Lukasz Guzik (guzil) Cloud Operations Engineer (III)
Pegasystems Inc.
PL

Hi,

Please take a look at the below documents, are describing the configuration for SSO SAML2 authentication:

And if you have properly configured SAML feature. Could you please send to us the error msg, logs which allow us to understand the issue that you have.

Thanks,
Lukasz

To see attachments, please log in.
Posted: 6 years ago
Posted: 14 Jan 2019 10:28 EST
Djibril Ndoye (ndoyd)
PEGA
Innovation Technical Director
Pegasystems Inc.
FR
Hi Lukasz, Thank you for your response.We are not facing any particular error in the logs. But we are not able to extend SAML 2.0 auto-generated token from the Authentication Service rule form. No way to find which code is executed even with Tracer. Extensions Type is a SAML 2.0 data type as per OASIS specification but it seems that there's no much documentation on how to extend generated token with tags in 7.4. Let me know if you may have an idea. Kind Regards,
To see attachments, please log in.
Posted: 6 years ago
Posted: 16 Jan 2019 1:49 EST
Divya Desala (desad1)
PEGA
Principal Software Engineer, Services Engineering
Pegasystems Inc.
IN

Hi

Data-SAMLMetadata-ExtensionsType class is available for extending SAML SP Metadata generated from the rule form.

But we are not able to extend SAML 2.0 auto-generated token from the Authentication Service rule form. No way to find which code is executed even with Tracer.

we are not generating any token from pega end.

Could you please elaborate the use case.

To see attachments, please log in.
Posted: 6 years ago
Posted: 16 Jan 2019 3:51 EST
Djibril Ndoye (ndoyd)
PEGA
Innovation Technical Director
Pegasystems Inc.
FR
Use case is pretty simple, we want to add an Extensions to SAML 2 token but we can't find where the code. We’ve tried exploring change on class Data-SAMLMetadata-ExtensionsType without success.
To see attachments, please log in.

Accepted Solution

Posted: 5 years ago
Posted: 6 Mar 2019 6:52 EST
Djibril Ndoye (ndoyd)
PEGA
Innovation Technical Director
Pegasystems Inc.
FR

Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.

Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.

You need to use OpenSAML api to add the extension in the authrequest.

for POST binding signature is embedded inside authentication request.

Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.

samlutils.createAuthenticationRequest(myStepPage)

 

But for Redirect binding it works as signature is computed in generateRedirectURL method.

We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.

String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);

Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):

Show More

Adding extensions to SAML2 is not supported OOTB in 7.4 using authentication service.

Only way to achieve this requirement was to change the java code in the OOTB pySAMLWebSSOAuthenticationActivity in Step 13.

You need to use OpenSAML api to add the extension in the authrequest.

for POST binding signature is embedded inside authentication request.

Adding extensions the authrequest bean object may fail as signature is computed in createAuthenticationRequest method itself.

samlutils.createAuthenticationRequest(myStepPage)

 

But for Redirect binding it works as signature is computed in generateRedirectURL method.

We can get the authrequest bean object returned from createAuthenticationRequest method and add extensions after that calling generateRedirectURL method should help.

String redirectURL = samlutils.generateRedirectURL(endPointURL,samlutils.createAuthenticationRequest(myStepPage),myStepPage,relaystateID);

Below sample code used to achieve this requirement by updating step 13 of the activity pySAMLWebSSOAuthenticationActivity (Pega 7.4):

//SPECIFIC CODE  : Define Extensions xml tag
org.opensaml.saml2.common.Extensions extensions = new org.opensaml.saml2.common.impl.ExtensionsBuilder().buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "Extensions", "samlp");
        org.opensaml.xml.schema.XSAny securityLevel = new org.opensaml.xml.schema.impl.XSAnyBuilder().buildObject(new javax.xml.namespace.QName("http://mynamespaceurl", "SecurityLevel","dacs"));
        extensions.getUnknownXMLObjects().add(securityLevel);
        securityLevel.setTextContent("0");

org.opensaml.saml2.core.AuthnRequest authnRequest = samlutils.createAuthenticationRequest(myStepPage);
    authnRequest.setExtensions(extensions);
        requestMessage = samlutils.getSAMLObjectASString( authnRequest);
        if(oLog.isDebugEnabled())
            oLog.debug("Generated authentication request : " + requestMessage);            
    }
} catch(Exception e) {    
    errorMessage = e.getMessage();
    tools.putParamValue("ErrorMessage", errorMessage);
    nextBlock = "ERR";
}


Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice