Question
Pegasystems Inc.
JP
Last activity: 19 Jun 2020 10:16 EDT
How to get value in HTTP Header for Single Sign On
Hi,
I am trying to implement integration with WebSeal SSO in Pega 7.2. Although we may face many WebSeal-specific issues later, at this point I am trying to figure out something SSO-generic. I would like to simply get a value which is being sent over from SSO in the HTTP Header. The actual message is:
15:08:48.231416425 Proprietary information hidden Proprietary information hidden 35014555253835653320 39389 8192 PUSH | ACK GET /prweb/WebSealServlet/jgCtzSLC0ErkB66VLLKO0h6C6-9u0Xb4*/!STANDARD
HTTP/1.1..accept: text/html, application/xhtml+xml,*/*..accept-language: ja-JP..host: cbkvn153:8192..iv-user:X0000009..user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;Trident/5.0)..via: HTTP/1.1parpdw12.aaaregression.myco.jp:443..iv_server_name:7-webseald-parpdw12..Cookie:Pega-RULES={atn}e3ByfXR4L3RpTno0OGhpdVNzbVhLMkdUY0xlbjd2eUVjL2lIR0FyZ05va2RsbTVoYjVwYVJCb0JJSFE3dmxCN0s1N0dGM3FJSERvci9tVkQKT1M1cmh2dFg2dz09;JSESSIONID=AllWSYzqETvK58eRvANVcajRN71tXuvvKbLfCpkUSodcN6keCC88!1080822193....
"iv-user" is the key name and "X0000009" is the actual value for ID. I found a PDN article and I guess I should be doing something like this in my custom activity https://pdn.pega.com/how-configure-sign-using-ibm-webseal-and-tivoli-access-manager
Hi,
I am trying to implement integration with WebSeal SSO in Pega 7.2. Although we may face many WebSeal-specific issues later, at this point I am trying to figure out something SSO-generic. I would like to simply get a value which is being sent over from SSO in the HTTP Header. The actual message is:
15:08:48.231416425 Proprietary information hidden Proprietary information hidden 35014555253835653320 39389 8192 PUSH | ACK GET /prweb/WebSealServlet/jgCtzSLC0ErkB66VLLKO0h6C6-9u0Xb4*/!STANDARD
HTTP/1.1..accept: text/html, application/xhtml+xml,*/*..accept-language: ja-JP..host: cbkvn153:8192..iv-user:X0000009..user-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;Trident/5.0)..via: HTTP/1.1parpdw12.aaaregression.myco.jp:443..iv_server_name:7-webseald-parpdw12..Cookie:Pega-RULES={atn}e3ByfXR4L3RpTno0OGhpdVNzbVhLMkdUY0xlbjd2eUVjL2lIR0FyZ05va2RsbTVoYjVwYVJCb0JJSFE3dmxCN0s1N0dGM3FJSERvci9tVkQKT1M1cmh2dFg2dz09;JSESSIONID=AllWSYzqETvK58eRvANVcajRN71tXuvvKbLfCpkUSodcN6keCC88!1080822193....
"iv-user" is the key name and "X0000009" is the actual value for ID. I found a PDN article and I guess I should be doing something like this in my custom activity https://pdn.pega.com/how-configure-sign-using-ibm-webseal-and-tivoli-access-manager
javax.servlet.http.HttpServletRequest req = (javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getProperty("pxHTTPServletRequest").getObjectValue();
UserIdentifier = req.getHeader("iv-user");
But I am not quite sure if this is right way (this article is old and this activity is PRExternal base which is already deprecated) or do I need to do differently. I wanted to check with someone who has done it with 7.x. Please see the excel file (WebSealSSOWithPega7.2.xlsx) attached for the details.
Thanks,
Kensho
Accepted Solution
Pegasystems Inc.
US
Hi Kensho,
There are a couple of ways you can do what you want:
Use Fail Stream:
- When you want to display your "Not Authorized Screen" set param.pyChallenge to @java("PRAUthentication.DEFAULT_FAIL_STREAM")
- In you AuthService record on the Custom tab there is a Authentication Fail stream field, here add your reference to AppAuthenticationFailure stream
Use Show-HTML in your login Activity
- To use a Show-HTML step in your login activity you need to set param.pyChallenge to @java("PRAuthentication.GENERATED_CHALLENGE_STREAM") before the Show-HTML step. This avoids the "no failure response set by custom authentication activity" error.
Look at Chapter 7 in this document: https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
This might seem like old documentation but it has simply not changed since then. (Just ignore Chapter 6 as an SSODriverServlet is not needed at anytime)
Pegasystems Inc.
US
The essence is still accurate for the article you mentioned. Out of curiosity, have you considered OOTB SAML/webSSO? This article has good account how the authentication works in pega (it is old, but most content still applies).
Updated: 27 Apr 2016 11:04 EDT
Pegasystems Inc.
US
Hi Kensho,
You are on the correct track. I test a lot with WebSEAL. (Although recently forgot my sec_master password ...ouch)
What I use is a Java step in the activity to handle errors better. You can use a simple property-set step to set a local variable.
Below is what I use but modified a bit for this post:
-----------
/* get servlet request façade - This is only available during authentication */
javax.servlet.http.HttpServletRequest request =
(javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
//debug - output to logfile all incoming headers as WebSEAL will add headers when it proxies so you wont see these with client side utilities like Fiddler etc
/*
java.util.Enumeration e = request.getHeaderNames();
String header = null;
while (e.hasMoreElements()) {
header = (String) e.nextElement();
oLog.infoForced(header + ": " + request.getHeader(header));
}
*/
if (request != null)
{
userIdentifierWebSEAL = request.getHeader("iv-user");
//oLog.infoForced("iv-user: " + userIdentifierPega);
if (userIdentifierPega == null){
Hi Kensho,
You are on the correct track. I test a lot with WebSEAL. (Although recently forgot my sec_master password ...ouch)
What I use is a Java step in the activity to handle errors better. You can use a simple property-set step to set a local variable.
Below is what I use but modified a bit for this post:
-----------
/* get servlet request façade - This is only available during authentication */
javax.servlet.http.HttpServletRequest request =
(javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
//debug - output to logfile all incoming headers as WebSEAL will add headers when it proxies so you wont see these with client side utilities like Fiddler etc
/*
java.util.Enumeration e = request.getHeaderNames();
String header = null;
while (e.hasMoreElements()) {
header = (String) e.nextElement();
oLog.infoForced(header + ": " + request.getHeader(header));
}
*/
if (request != null)
{
userIdentifierWebSEAL = request.getHeader("iv-user");
//oLog.infoForced("iv-user: " + userIdentifierPega);
if (userIdentifierPega == null){
oLog.error("Authentication can not complete: missing iv-user header");
errorMessage = "Authentication failed";
nextBlock = "ERR";
}
}
else {
//Should never happen but I work in support..
oLog.error("Authentication can not complete: no request facade object");
errorMessage = "Authentication failed";
nextBlock = "ERR";
}
---------
UserIdentifierWebSEAL and errorMessage are Local String variables defined on the parameters tab.
Updated: 28 Apr 2016 6:38 EDT
Pegasystems Inc.
JP
Hi Chris, Kevin,
Thanks for sharing the info. I was able to get "iv-user" in the HTTP header.
In my later step, Obj-Open by local.User retrieves Operator ID instance and it let the user log in. Everything worked fine. One more thing I need to build is to show static "not authorized screen" for users who are not in PRPC database table. Requirement is, if ID, sent over from SSO, does not exist in PRPC Operator table, then it should NOT let user log in. No need to dynamically create ID on the fly.
In my activity, which is overriden from Code-Security.AuthenticationLDAP, there is a step "SH", where it Property-Set param.pyChallenge = @java("PRAuthentication.DEFAULT_CHALLENGE"). This will bring up log in screen. However this is not what we want. There are no ways to synchorinze the password in PRPC and SSO in our system, so we just simply want to show some static screen that says "you are not authorized for PRPC". In order to make it, I removed this Property-Set in "SH" step and inserted Show-HTML (HTMLStream: AppAuthenticationFailure). So, my intent was, if Obj-Open by passed ID gets no instances, it jumps to "SH" step, and it shows this HTML. However, I am getting ERROR - com.pega.pegarules.pub.PRRuntimeException: No failure response set by custom authentication activity
Hi Chris, Kevin,
Thanks for sharing the info. I was able to get "iv-user" in the HTTP header.
In my later step, Obj-Open by local.User retrieves Operator ID instance and it let the user log in. Everything worked fine. One more thing I need to build is to show static "not authorized screen" for users who are not in PRPC database table. Requirement is, if ID, sent over from SSO, does not exist in PRPC Operator table, then it should NOT let user log in. No need to dynamically create ID on the fly.
In my activity, which is overriden from Code-Security.AuthenticationLDAP, there is a step "SH", where it Property-Set param.pyChallenge = @java("PRAuthentication.DEFAULT_CHALLENGE"). This will bring up log in screen. However this is not what we want. There are no ways to synchorinze the password in PRPC and SSO in our system, so we just simply want to show some static screen that says "you are not authorized for PRPC". In order to make it, I removed this Property-Set in "SH" step and inserted Show-HTML (HTMLStream: AppAuthenticationFailure). So, my intent was, if Obj-Open by passed ID gets no instances, it jumps to "SH" step, and it shows this HTML. However, I am getting ERROR - com.pega.pegarules.pub.PRRuntimeException: No failure response set by custom authentication activity
According to my research, it seems to be happening because I am not setting anything in local.errorMessage or param.pyFailMessage. So I tried to set some random String in both local.errorMessage and param.pyFailMessage before Show-HTML but the result was the same.
Re: while log-in using LDAP authentication service log-in url we are getting error
What exactly should I do to avoid this "No failure response set by custom authentication activity"?
Thanks,
Kensho
Accepted Solution
Pegasystems Inc.
US
Hi Kensho,
There are a couple of ways you can do what you want:
Use Fail Stream:
- When you want to display your "Not Authorized Screen" set param.pyChallenge to @java("PRAUthentication.DEFAULT_FAIL_STREAM")
- In you AuthService record on the Custom tab there is a Authentication Fail stream field, here add your reference to AppAuthenticationFailure stream
Use Show-HTML in your login Activity
- To use a Show-HTML step in your login activity you need to set param.pyChallenge to @java("PRAuthentication.GENERATED_CHALLENGE_STREAM") before the Show-HTML step. This avoids the "no failure response set by custom authentication activity" error.
Look at Chapter 7 in this document: https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
This might seem like old documentation but it has simply not changed since then. (Just ignore Chapter 6 as an SSODriverServlet is not needed at anytime)
Pegasystems Inc.
JP
Hi Chris,
Thanks for the info. I was able to show my custom "Not authorized screen" HTML rule using Fai Stream.
I have documented and attached what I did for SSO integration and packaged R-A-P to share the info. Hope this helps some other people who may experience the similar issue.
Thanks,
Kensho