Last activity: 10 Apr 2020 18:14 EDT
Fail the Requestor during SAML Authentication
My requirement is to fail the authentication for the user who doesnt qualify few requirements. I am handling this in OOTB SAML Post Authentication activity. I used below code to stop the authentication but looks like its not working.
Any idea on how to fix it?
Code: tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "false");
It's difficult to know what's wrong without seeing more of the logic in your activity. Things you could try:
- Use tracer from another session to observe behavior
- Write debug statements to the log from your activity
- Examine the clipboard after login occurs and examine the value of the property pxRequestor.pyAuthenticationPolicyResult. It should be 'true' since login succeeded.
Hi @SOLOM Thanks for the response. I dont see the property .pyAuthenticationPolicyResult on pxRequestor clipboard page under System Pages. I also did a search on property instances and dont see this property in the system. Not sure why? Does it have anything to do with the Pega version we are in.
The property is not defined in the system, so you won't find it. But that should not prevent this from working. The fact the property is not on the pxRequestor page indicates to me that the logic in your activity is such that the line where this is set to false is not being executed. Do you have another line that sets the value to true, which should cause it to appear on the page?
I suggest using debug statement to help you determine how the logic is flowing in your activity.
Thank you @SOLOM . I see the property is set to false now. I was actually looking at px instead of py on the pxRequestor page. Now that pyAuthenticationPolicyResult is "false", do you know why system is letting the user login?
Do we need to call HTML rule (Web-Authentication-Failure) after setting this value to false.
Is your authentication service type SAML 2.0? If not, what type it is?
If it is SAML 2.0, have you added a reference to this activity in the Post-authentication activity field, under Advanced configuration settings, on the authentication service form?
Yes, Auth service type is SAML 2.0 and we added pySAMLWebSSOAuthenticationActivity as post-authentication activity under Advanced configuration settings in Auth service form.
I am setting pyAuthenticationPolicyResult to "false" after calling the activity "pyEstablishOperatorContext" by default just to check if the authentication fails. But I am able to login properly while the pyAuthenticationPolicyResult to "false" in clipboard.
You should not be calling pyEstablishOperatorContext. Remove that and see if it makes a difference. If not, you may need to share more details about your activity.
May I know why we shouldnt call pyEstablishOperatorContext? I thought thats the place where we check if the operator is in system or create an operator on the fly.
Tried commenting out the step to call pyEstablishOperatorContext. But it is failing to login with "pxErrorMessage= Invalid Division for Operator".
Our post authentication activity is just a save as of OOTB activity "pySAMLWebSSOAuthenticationactivity"
That is necessary only for older style external/custom type authentication services. For the newer types like SAML 2.0, OpenID connect, Basic credentials, Token credentials and Anonymous (aka PRAuth based authentication services) it is not necessary. What version of Pega platform are you on, and what is the servlet name you are using for SAML SSO?
@SOLOM We are on Pega 7.1.9 and servlet name is "sso".
That explains it then. 7.1.9 does not support the setting of pyAuthenticationPolicyResult to terminate the authentication process. That was added in Pega 8.1.
@SOLOM Thanks for letting me know. Do you recommend any other solution that we can use in Pega 7.1.9 to terminate authentication process. I can think of OOTB HTML rule "Web-authentication-failure" as one option.
Updated: 10 Apr 2020 18:14 EDT
Did you try not setting pyOperPage param in this specific scenario and show error response using an HTML rule ?
Got it. Thank you. I will try that