We have a requirement where we have to prompt user for user ID and password during submission of a case. In the current landscape, the Identity provider is only allowing SAML endpoints to validate the user ID credentials.
the challenge is that, the user is already authenticated via sso using SAML. Bt to re-validate the user credentials, SAML cannot be invoked out of the box.
We would like to know if there are any capabilities within PEGA that would help in calling this SAML URL again to validate the user ID and password without interfering with the current user session.
We were exploring if the connect-rest/HTTP can be used but not able to send success request. If anyone has implemented this or has any idea on how the SAML request can be sent on demand without impacting the user session would be great.
***Edited by Moderator Marissa to update Support Case Details***
This won’t be possible with our OTB SAML as that is ment to grant access to the application and only triggered when a user is not authenticated.
You also won’t be able to back channel this with a REST call as the IDP needs to identify the user and a SAML Request doesn’t contain information about the user, it’s the IDP’s job to identify the user not he SP to provide information about the user.
You might get further with a IDP initiated request that the IDP knows to trigger authentication with again. However, with both SP or IDP initiated requests you still have to handle the SAMLResponse, should still be using an AssertionConsumerService, have to prevent replay attacks etc. This is not a good fit for this.
The IDP is connected to a user store. If might be simpler if you used something like secure LDAPS against that same user store for validating the user credentials in this part of the flow. The underlying usage of SAML it’s really setup for this.
Posted: 2 years ago
Posted: 1 Mar 2021 6:08 EST
Angel Hermira (Angel Hermira)
Principal Product Manager, Robotics
@JoydeepD4559 , I think what you need is an OAuth service exposed by the IdP. You can call that service to get a token based on valid user and password. If the response is good you proceed with the transaction and reject it otherwise.