Question
Cognizant Technology Solutions India Ltd.
ES
Last activity: 17 Jul 2017 16:38 EDT
How can we route a user directly to a specific work object?
All users are authenticated and DWA is not in scope.
The link will be there in correspondence generated by work object.
When user clicks on the link after authentication it should take user directly to the assignment.
***Updated by moderator: Marissa to close post***
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Pegasystems Inc.
US
Okay, time for the solution. (I tested this in 7.1.7 but it will work in 7.1.5)
Couple of things you need to know before you start this:
1) What Login Screen are you using
In your login activity you should see a step like this.
This will load the challenge stream defined in your AuthService in the custom tab in the "Credential Challenge Stream".
If blank, like above, it's using Web-Login. (You are probably using Web-Login or a customized version of it as it's always expected it will be modified for application/company branding)
2) The ruleset, available to unauthenticated users, you can make changes in.
You need to have a ruleset available to users before they are authenticated to save changes into.
Okay, time for the solution. (I tested this in 7.1.7 but it will work in 7.1.5)
Couple of things you need to know before you start this:
1) What Login Screen are you using
In your login activity you should see a step like this.
This will load the challenge stream defined in your AuthService in the custom tab in the "Credential Challenge Stream".
If blank, like above, it's using Web-Login. (You are probably using Web-Login or a customized version of it as it's always expected it will be modified for application/company branding)
2) The ruleset, available to unauthenticated users, you can make changes in.
You need to have a ruleset available to users before they are authenticated to save changes into.
You probably have this setup already. Check your Data-Admin-Requestor <SystemName>.Browser instance,, SysAdmin->Requestor Type, and make sure it contains an AccessGroup that provides access to a ruleset used for SSO customizations. This is the AccessGroup used prior to authentication, not the AccessGroup the user will use once authenticated.
My Example:
So this AccessGroup is references a product called SSOAuth that has one ruleset SSOAuth. (I don't give unauthenticated users access to a full application)
My Solution:
1) Copy Web-Login or your current Login HTML if you have already have something custom. (If you have upgraded from a older PRPC version you may want to start with Web-Login)
I called mine WebLoginSSOSnapStart
2) Find the HTML form, will look like this:
<pega:choose>
<pega:when test="DisableAutoComplete" >
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
</pega:when>
<pega:otherwise>
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" novalidate="novalidate" target="_top" >
</pega:otherwise>
</pega:choose>
3) Change to:
<%
String actionURL = tools.findPage("pxThread").getString("pxReqURI");
String SSOSnapStartQuery = tools.findPage("pxThread").getString("SSOSnapStartQuery");
if (SSOSnapStartQuery != null && SSOSnapStartQuery.length() > 0) {
actionURL += "?" + SSOSnapStartQuery;
}
tools.putParamValue("actionURL", com.pega.pegarules.pub.util.StringUtils.urlCrossScriptingFilter(actionURL));
%>
<pega:choose>
<pega:when test="DisableAutoComplete" >
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="param.actionURL" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
</pega:when>
<pega:otherwise>
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="param.actionURL" mode="normal" />" novalidate="novalidate" target="_top" >
</pega:otherwise>
</pega:choose>
4) Update your Login activity:
In the pages and class add page pxThread with class reference of Code-Pega-Thread.
Now you need to get the pyQueryString to the clipboard so it can be displayed in the login HTML:
Note: When you add the Property-Set step for "SSOSnapStartQuery" on page pxThread add the property at the same time in the same ruleset the activity is in.
Add the pre step condition as so:
We only want to set SSOSnapStartQuery property if pyQueryString has a value and if SSOSnapStartQuery has not already been set.
5) Update you Data-Admin-AuthService to reference to new HTML screen.
Next Steps:
I realize this is not exactly that easy . I usually I do this type of work on a screen share and explain as I go. If you have problems we can do a screen share.
BNY Mellon
US
You're familiar with the AssignmentLink, right?
https://community.pega.com/sites/default/files/help_v71/procomhelpmain.htm
Pegasystems
US
Can you please post pseudo-links here to show the links you are attempting to use ?
NOTE: By "pseudo-link" I mean replace any specific system names or passwords by descriptive placeholders in the post. Thanks. /Eric
Updated: 2 Jun 2015 12:15 EDT
Cognizant Technology Solutions India Ltd.
ES
Servlet---Works
LDAP---Doesn't work
Pegasystems Inc.
US
The PRWebLDAP1 Servlet is mapped to a PRCustom style AuthService and that is the best approach for what you are doing.
Do you display the login screen in your authentication activity? This is probably the same Servlet users use to access the system for standard usage so I would think so. If you see a PRPC style login screen right after clicking the link then the answer is yes. When you test with just PRServlet is the prompt for authentication in the form of a Basic Authentication popup?
What you want to happen is the following:
1) Request reaches PRPC, no Pega-RULES cookie - authentication triggered. (pyActivity=Assing-Worklist..MyProcessAssignment...)
2) Authentication activity fired - Determines no username or password present in request and displays login page
3) User enters credentials - Submit
4) Request reaches PRPC, Pega-RULES cookie is preauthenication cookie - authentication triggered
5) Authentication activity fired - Determines that username and password are present and authentication continues into LDAP processing.
6) LDAP authentication completed successfully - operator page returned from authentication activity.
7) Original action should be fired. (pyActivity=Assing-Worklist..MyProcessAssignment...)
I bet what is happening is that when the login page is being displayed the orginal query string is not being added to the HTML form for the login page, so something like:
The PRWebLDAP1 Servlet is mapped to a PRCustom style AuthService and that is the best approach for what you are doing.
Do you display the login screen in your authentication activity? This is probably the same Servlet users use to access the system for standard usage so I would think so. If you see a PRPC style login screen right after clicking the link then the answer is yes. When you test with just PRServlet is the prompt for authentication in the form of a Basic Authentication popup?
What you want to happen is the following:
1) Request reaches PRPC, no Pega-RULES cookie - authentication triggered. (pyActivity=Assing-Worklist..MyProcessAssignment...)
2) Authentication activity fired - Determines no username or password present in request and displays login page
3) User enters credentials - Submit
4) Request reaches PRPC, Pega-RULES cookie is preauthenication cookie - authentication triggered
5) Authentication activity fired - Determines that username and password are present and authentication continues into LDAP processing.
6) LDAP authentication completed successfully - operator page returned from authentication activity.
7) Original action should be fired. (pyActivity=Assing-Worklist..MyProcessAssignment...)
I bet what is happening is that when the login page is being displayed the orginal query string is not being added to the HTML form for the login page, so something like:
<form name="main" method="post" action="/prweb/PRWebLDAP1/A5ikzsG0BTMHfVeE1djqyfuZL6DnSwYp*/!STANDARD" />
When the user hits submit authentication will be completed here and this URL in the form, because it contains no pyActivity or pyStream parameter, will default to showing the users home portal as defined in their AccessGroup.
You need it to be:
<form name="main" method="post" action="/prweb/PRWebLDAP1/A5ikzsG0BTMHfVeE1djqyfuZL6DnSwYp*/!STANDARD?pyActivity=Assign-WorkList.MyProcessAssignment&.." />
This is easy to correct. Before I go further though does this sound like I am on the right track here?
Cognizant Technology Solutions India Ltd.
ES
Hi Chris,
Thanks for the explanation. Yes when PRServlet is used regular HTTP pop up appears in the screen but no login screen. Once user put the user id and password it redirects him to WO bypassing . But in PRWebLDAP1 it doesn't show the popup instead it shows the login screen. If user logs in it shows the default dashboard.
Cognizant Technology Solutions India Ltd.
ES
Also to add some information i checked pxRequestor.pyHTTPRequestHeaders.pyReferer it is the same before and after the authentication. I woinder where and why this url is lost. Any ideas?
Thanks in advance.
Pegasystems Inc.
US
With PRCustom style authentication the login activity will be passed a pyQueryString parameter from the engine level. What we need to do here is make sure the pyQueryString is appended properly, when present, to the Login screen HTML form action attribute when displayed.
What version of PRPC are you using?
Accepted Solution
Pegasystems Inc.
US
Okay, time for the solution. (I tested this in 7.1.7 but it will work in 7.1.5)
Couple of things you need to know before you start this:
1) What Login Screen are you using
In your login activity you should see a step like this.
This will load the challenge stream defined in your AuthService in the custom tab in the "Credential Challenge Stream".
If blank, like above, it's using Web-Login. (You are probably using Web-Login or a customized version of it as it's always expected it will be modified for application/company branding)
2) The ruleset, available to unauthenticated users, you can make changes in.
You need to have a ruleset available to users before they are authenticated to save changes into.
Okay, time for the solution. (I tested this in 7.1.7 but it will work in 7.1.5)
Couple of things you need to know before you start this:
1) What Login Screen are you using
In your login activity you should see a step like this.
This will load the challenge stream defined in your AuthService in the custom tab in the "Credential Challenge Stream".
If blank, like above, it's using Web-Login. (You are probably using Web-Login or a customized version of it as it's always expected it will be modified for application/company branding)
2) The ruleset, available to unauthenticated users, you can make changes in.
You need to have a ruleset available to users before they are authenticated to save changes into.
You probably have this setup already. Check your Data-Admin-Requestor <SystemName>.Browser instance,, SysAdmin->Requestor Type, and make sure it contains an AccessGroup that provides access to a ruleset used for SSO customizations. This is the AccessGroup used prior to authentication, not the AccessGroup the user will use once authenticated.
My Example:
So this AccessGroup is references a product called SSOAuth that has one ruleset SSOAuth. (I don't give unauthenticated users access to a full application)
My Solution:
1) Copy Web-Login or your current Login HTML if you have already have something custom. (If you have upgraded from a older PRPC version you may want to start with Web-Login)
I called mine WebLoginSSOSnapStart
2) Find the HTML form, will look like this:
<pega:choose>
<pega:when test="DisableAutoComplete" >
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
</pega:when>
<pega:otherwise>
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="pxThread.pxReqURI" mode="normal" />" novalidate="novalidate" target="_top" >
</pega:otherwise>
</pega:choose>
3) Change to:
<%
String actionURL = tools.findPage("pxThread").getString("pxReqURI");
String SSOSnapStartQuery = tools.findPage("pxThread").getString("SSOSnapStartQuery");
if (SSOSnapStartQuery != null && SSOSnapStartQuery.length() > 0) {
actionURL += "?" + SSOSnapStartQuery;
}
tools.putParamValue("actionURL", com.pega.pegarules.pub.util.StringUtils.urlCrossScriptingFilter(actionURL));
%>
<pega:choose>
<pega:when test="DisableAutoComplete" >
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="param.actionURL" mode="normal" />" target="_top" novalidate="novalidate" autocomplete="off" >
</pega:when>
<pega:otherwise>
<form name="main" method="post" onSubmit="return sendLoginRequestForm(event);" action="<pega:reference name="param.actionURL" mode="normal" />" novalidate="novalidate" target="_top" >
</pega:otherwise>
</pega:choose>
4) Update your Login activity:
In the pages and class add page pxThread with class reference of Code-Pega-Thread.
Now you need to get the pyQueryString to the clipboard so it can be displayed in the login HTML:
Note: When you add the Property-Set step for "SSOSnapStartQuery" on page pxThread add the property at the same time in the same ruleset the activity is in.
Add the pre step condition as so:
We only want to set SSOSnapStartQuery property if pyQueryString has a value and if SSOSnapStartQuery has not already been set.
5) Update you Data-Admin-AuthService to reference to new HTML screen.
Next Steps:
I realize this is not exactly that easy . I usually I do this type of work on a screen share and explain as I go. If you have problems we can do a screen share.
Cognizant Technology Solutions India Ltd.
ES
Hi Chris,
The answer looks promising. Thank you. It will be better to share the screen and do it together if possible. Please let me know a time i will schedule a webex session for the same.
Pegasystems Inc.
US
Hello Tarini/Chris,
If a screen share is required we will need to create a SR to track this effort.
Tarini,
Please let me know if this action will be required.
Chris,
Please let me know if the SR can be assigned directly to you.
Cognizant Technology Solutions India Ltd.
ES
Hi Kip,
We have already one SR open for this as below. Please let me if any.
SR-128555 "Direct Link to Case opens dashboard, not work object"
BNY Mellon
US
At minimum, maybe just extract Chris's answer into a document?
And maybe title the document (if not the question thread here) to be more precise: Supporting Deep Links with Custom Authentication Schemes.
Cognizant Technology Solutions India Ltd.
ES
Hi Marc,
Sorry but recording the session for Pega user community is not allowed according to customer .
Pegasystems Inc.
US
Hi Tarini,
I forgot this conversation originated from a SR. Let me think about how to proceed since it really is outside the scope of a SR.
Cognizant Technology Solutions India Ltd.
ES
Hi Jon,
Thanks for your quick response. We have implemented in the same way but the problem is it works PRServlet but not PRWebLDAP servlet . After the user is authenticated through LDAP service the system is not redirecting to the assignment ,instead it shows the default dashboard.
Pegasystems
US
I suggest you wait until after the experience of applying Chris's instructions to actual customer system, after which you publish the refined document according to what adjustments were needed to make it work on the customer's system. /Eric
Tech Mahindra
CA
Was there any progress made on this issue, currently we are running into same situation using SAML.
Our requirement is based on a specific attribute in the assertion token, we need to redirect to open a work object directly instead of default screen.
Tried,
param.pyChallenge @java("PRAuthentication.DEFAULT_REDIRECT_URL")
Show-HTML (RedirectURL , pySSORedirectRequest)
Any thoughts ??
Thanks
Naveen
This comment has been branched out as a new node and the new thread can be followed here
Pegasystems Inc.
IN
Hi Naveen,
Owning to the age of this current thread, we believe having a new post open would gain your query more visibility. Keeping this in mind, we have created a new post for you: How to route a user directly to a specific work object instead on default screen - we are using SAML
Please update this new post to continue troubleshooting!
Regards,