Question
JP Morgan Chase & Company
US
Last activity: 10 Apr 2020 18:14 EDT
Fail the Requestor during SAML Authentication
Hi,
My requirement is to fail the authentication for the user who doesnt qualify few requirements. I am handling this in OOTB SAML Post Authentication activity. I used below code to stop the authentication but looks like its not working.
Any idea on how to fix it?
Code: tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "false");
Accepted Solution
Updated: 10 Apr 2020 18:14 EDT
Pegasystems Inc.
IN
Did you try not setting pyOperPage param in this specific scenario and show error response using an HTML rule ?
Thanks,
Santhosh
Pegasystems Inc.
US
It's difficult to know what's wrong without seeing more of the logic in your activity. Things you could try:
- Use tracer from another session to observe behavior
- Write debug statements to the log from your activity
- Examine the clipboard after login occurs and examine the value of the property pxRequestor.pyAuthenticationPolicyResult. It should be 'true' since login succeeded.
JP Morgan Chase & Company
US
Hi @SOLOM Thanks for the response. I dont see the property .pyAuthenticationPolicyResult on pxRequestor clipboard page under System Pages. I also did a search on property instances and dont see this property in the system. Not sure why? Does it have anything to do with the Pega version we are in.
Pegasystems Inc.
US
The property is not defined in the system, so you won't find it. But that should not prevent this from working. The fact the property is not on the pxRequestor page indicates to me that the logic in your activity is such that the line where this is set to false is not being executed. Do you have another line that sets the value to true, which should cause it to appear on the page?
I suggest using debug statement to help you determine how the logic is flowing in your activity.
JP Morgan Chase & Company
US
Thank you @SOLOM . I see the property is set to false now. I was actually looking at px instead of py on the pxRequestor page. Now that pyAuthenticationPolicyResult is "false", do you know why system is letting the user login?
Do we need to call HTML rule (Web-Authentication-Failure) after setting this value to false.
Pegasystems Inc.
US
Is your authentication service type SAML 2.0? If not, what type it is?
If it is SAML 2.0, have you added a reference to this activity in the Post-authentication activity field, under Advanced configuration settings, on the authentication service form?
JP Morgan Chase & Company
US
Yes, Auth service type is SAML 2.0 and we added pySAMLWebSSOAuthenticationActivity as post-authentication activity under Advanced configuration settings in Auth service form.
I am setting pyAuthenticationPolicyResult to "false" after calling the activity "pyEstablishOperatorContext" by default just to check if the authentication fails. But I am able to login properly while the pyAuthenticationPolicyResult to "false" in clipboard.
Pegasystems Inc.
US
You should not be calling pyEstablishOperatorContext. Remove that and see if it makes a difference. If not, you may need to share more details about your activity.
JP Morgan Chase & Company
US
May I know why we shouldnt call pyEstablishOperatorContext? I thought thats the place where we check if the operator is in system or create an operator on the fly.
Tried commenting out the step to call pyEstablishOperatorContext. But it is failing to login with "pxErrorMessage= Invalid Division for Operator".
Our post authentication activity is just a save as of OOTB activity "pySAMLWebSSOAuthenticationactivity"
Pegasystems Inc.
US
That is necessary only for older style external/custom type authentication services. For the newer types like SAML 2.0, OpenID connect, Basic credentials, Token credentials and Anonymous (aka PRAuth based authentication services) it is not necessary. What version of Pega platform are you on, and what is the servlet name you are using for SAML SSO?
Pegasystems Inc.
US
That explains it then. 7.1.9 does not support the setting of pyAuthenticationPolicyResult to terminate the authentication process. That was added in Pega 8.1.
JP Morgan Chase & Company
US
@SOLOM Thanks for letting me know. Do you recommend any other solution that we can use in Pega 7.1.9 to terminate authentication process. I can think of OOTB HTML rule "Web-authentication-failure" as one option.
Accepted Solution
Updated: 10 Apr 2020 18:14 EDT
Pegasystems Inc.
IN
Did you try not setting pyOperPage param in this specific scenario and show error response using an HTML rule ?
Thanks,
Santhosh