Skip to main content

Question

 Rakesh Vadlamuri (rvadlamuri)
AtoS
Lead System Architect
AtoS
GB
rvadlamuri Member since 2013 4 posts
AtoS
Posted: Aug 8, 2024
Last activity: Nov 6, 2024
Posted: 8 Aug 2024 9:12 EDT
Last activity: 6 Nov 2024 13:05 EST
Solved

Open ID Connect - Unable to derive claim for operator establishment

I am working on an open id integration and currently failing with the following error.

"Unable to execute OIDC flow : Unable to derive claim %22email%22 from id token for operator establishment"

Verified the JWT token returned and it has all the claims that i was expecting but still it is failing with this error. Not sure how to fix this.

 

Please find the logs for reference.

Show More

I am working on an open id integration and currently failing with the following error.

"Unable to execute OIDC flow : Unable to derive claim %22email%22 from id token for operator establishment"

Verified the JWT token returned and it has all the claims that i was expecting but still it is failing with this error. Not sure how to fix this.

 

Please find the logs for reference.

2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Initiating OIDC flow  
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Constructing authorization URL for OIDC provider  
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth/app/default 
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[0] = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[1] = default 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantHash =  
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Constructed authorization URL for OIDC provider : https://amf-adfs.ciz.nl/adfs/oauth2/authorize/?redirect_uri=https%3A%2F%2Fdev.medewerker.ciz.nl%2Fprweb%2FPRAuth&client_id=3ceadb5c-481e-4e73-9347-96bff086f389&scope=openid email profile&state=0523b14fad4ce5a05a8e90f657eeea7174a8a3e6466a6b8b306ee38dab44ec75_app/default&nonce=f3cf5d1bbe1fd19049a158f8c68dba94bb28ba489f7603edb40af0f5236ae2b2&response_type=code 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantid hash = shared 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - authServiceName =  ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - mapKey = <<PRAuth: ADFSshared:PRAuth>> 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Creating new SchemePRAuth instance for ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service alias set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service type set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantid hash = shared 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - authServiceName =  ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - mapKey = <<PRAuth: ADFSshared:PRAuth>> 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Creating new SchemePRAuth instance for ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service alias set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service type set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,098 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  Printing auth service page <?xml version="1.0"?> 
 
<pagedata> 
<pyBindDN/> 
<pxUpdateSystemID>pega-dev</pxUpdateSystemID> 
<pyClassName/> 
<pxUpdateDateTime>20240807T160941.413 GMT</pxUpdateDateTime> 
<pyUseBasicAuthTimeout>false</pyUseBasicAuthTimeout> 
<pxMoveImportOperName/> 
<pyLoginURL>https://dev.medewerker.ciz.nl/prweb/PRAuth/ADFS</pyLoginURL> 
<pyUseSSL>false</pyUseSSL> 
<pyRedirectURL/> 
<pySSLProtocol>SSL</pySSLProtocol> 
<pyUsage>Used in  Care Provider portal Login</pyUsage> 
<pxInstanceCreatedVersion>7.4</pxInstanceCreatedVersion> 
<pyModelOperator>"ModalOperatorCIZ"</pyModelOperator> 
<pyUsePegaCredentials>false</pyUsePegaCredentials> 
<pyTimeoutStream/> 
<pyPreAuthenticationActivity/> 
<pxCreateDateTime>20240807T103340.189 GMT</pxCreateDateTime> 
<pyEnableAuthService>true</pyEnableAuthService> 
<pyUseTimeoutWarningDialog/> 
<pyRuleSet/> 
<pyChallengeStream/> 
<pyBindPW/> 
<pyTrustStore/> 
<pyPreLoginScreenImage/> 
<pxInsName>ADFS</pxInsName> 
<pxSaveDateTime>20240807T160941.417 GMT</pxSaveDateTime> 
<pyFormPost/> 
<pyIsTagged>true</pyIsTagged> 
<pyPostAuthenticationActivity/> 
<pyTimeoutWarning/> 
<pzInsKey>DATA-ADMIN-AUTHSERVICE ADFS</pzInsKey> 
<pyInitialContextFactory/> 
<pyTemplate/> 
<pyOperatorDataTransform/> 
<pyFailStream/> 
<pyUseBasicAuthChallenge>false</pyUseBasicAuthChallenge> 
<pyProviderURL/> 
<pyAuthServiceAlias>ADFS</pyAuthServiceAlias> 
<pyUserNameAttribute/> 
<pyReloadForm>true</pyReloadForm> 
<pySPRuleSetName/> 
<pyAuthenticationServiceType>OIDC</pyAuthenticationServiceType> 
<pxInsId/> 
<pyInitialChallengeStream/> 
<pyTimeoutActivity/> 
<pyOpIsInNonPegaDB>false</pyOpIsInNonPegaDB> 
<pyRuleSetVersion/> 
<pyExternalTimeout/> 
<pyKeystore/> 
<pySearchFilter/> 
<pxUpdateOpName>Rakesh Vadlamuri</pxUpdateOpName> 
<pyWindowTitle/> 
<pxUpdateOperator>[email protected]</pxUpdateOperator> 
<pySSLProtocolVersion>TLSv1.2</pySSLProtocolVersion> 
<pxMoveFromSystem/> 
<pyName>ADFS</pyName> 
<pyAuthenticationActivity/> 
<pySupportsPegaTimeout>false</pySupportsPegaTimeout> 
<pyOrgDivision/> 
<pyDescription>ADFS Open ID Connect Authentication Service</pyDescription> 
<pyOrganization/> 
<pxMoveImportOperId/> 
<pyEnableOperatorProvisioning>true</pyEnableOperatorProvisioning> 
<pyOperatorProvisioningType>ModelOperator</pyOperatorProvisioningType> 
<pxMoveImportDateTime/> 
<pxObjClass>Data-Admin-AuthService</pxObjClass> 
<pyTemplateInputBox/> 
<pxCreateOperator>[email protected]</pxCreateOperator> 
<pyDirectoryContext/> 
<pyOrgUnit/> 
<pxCreateSystemID>pega-dev</pxCreateSystemID> 
<pxLimitedAccess>Dev</pxLimitedAccess> 
<pyVerifyOpInNonPegaDB/> 
<pzOriginalInstanceKey>DATA-ADMIN-AUTHSERVICE ADFS</pzOriginalInstanceKey> 
<pyLabel>ADFS /prweb/PRAuth</pyLabel> 
<pxCreateOpName>Rakesh Vadlamuri</pxCreateOpName> 
<pyStreamName/> 
<pyRuleSetName>WLZWZDDev</pyRuleSetName> 
<pxWarnings REPEATINGTYPE="PageList"/> 
<pyOpenIDConnect> 
<pyStatusMessage>OK</pyStatusMessage> 
<pySAMLAttrList/> 
<pyIsImportMetadataSuccess>true</pyIsImportMetadataSuccess> 
<pyUserInfoEndpoint>https://amf-adfs.ciz.nl/adfs/userinfo</pyUserInfoEndpoint> 
<pyOIDCProviderMetadataJSONString>{"issuer":"https:\/\/amf-adfs.ciz.nl\/adfs","authorization_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/authorize\/","token_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/token\/","jwks_uri":"https:\/\/amf-adfs.ciz.nl\/adfs\/discovery\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge","urn:ietf:params:oauth:grant-type:device_code","device_code"],"subject_types_supported":["pairwise"],"scopes_supported":["logon_cert","openid","allatclaims","winhello_cert","user_impersonation","email","profile","aza","vpn_cert"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\/\/amf-adfs.ciz.nl\/adfs\/services\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid","nbf"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/userinfo","capabilities":["kdf_ver2"],"end_session_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"device_authorization_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/devicecode"}</pyOIDCProviderMetadataJSONString> 
<pyLogoutEndpoint/> 
<pyIssuer>https://amf-adfs.ciz.nl/adfs</pyIssuer> 
<pxObjClass>Data-Admin-Security-SSO-OIDC</pxObjClass> 
<pyTemplateInputBox/> 
<pyMetadataSourceType>URL</pyMetadataSourceType> 
<pyMetadataSourceLocation>https://amf-adfs.ciz.nl/adfs/.well-known/openid-configuration</pyMetadataSourceLocation> 
<pyValue/> 
<pyMapOperatorFromClaim>{email}</pyMapOperatorFromClaim> 
<pyHTTPResponseCode>200</pyHTTPResponseCode> 
<pyStatusValue>Good</pyStatusValue> 
<pySignatureTruststore>KS_ADFS_1598_OIDCCertStore</pySignatureTruststore> 
<pyUserInfoParams REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyUserInfoParams> 
<pyExpressionGadget> 
<pxObjClass>PegaGadget-ExpressionBuilder</pxObjClass> 
<pyTemplateInputBox/> 
<pyShowCustomPages>true</pyShowCustomPages> 
<pyShowLocalVariables>false</pyShowLocalVariables> 
<pyShowParameters>true</pyShowParameters> 
<pyEditable>false</pyEditable> 
<pyIsLaunchAsOverlay>false</pyIsLaunchAsOverlay> 
<pyExpressionMapNew REPEATINGTYPE="PropertyGroup"> 
</pyExpressionMapNew> 
</pyExpressionGadget> 
<pyScopeList REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>openid</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>email</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>profile</pyValue> 
</rowdata> 
</pyScopeList> 
<pyProviderInfo> 
<pxObjClass>Data-Admin-Security-OAuth2-Provider</pxObjClass> 
<pyUsePropertyRef/> 
<pySendClientCredentialsAs>PostBody</pySendClientCredentialsAs> 
<pyClientJwtGenerationProfile/> 
<pyClientAuthenticationScheme>pyClientSecret</pyClientAuthenticationScheme> 
<pyPrivateKeyJwtPropType>useJwtGenProf</pyPrivateKeyJwtPropType> 
<pySendAccessTokenAs>AuthorizationHeader</pySendAccessTokenAs> 
</pyProviderInfo> 
<pyLogoutEndpointParams REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyLogoutEndpointParams> 
<pyClientInfo> 
<pxObjClass>Data-Admin-Security-OAuth2-Client</pxObjClass> 
<pyAuthCodeURL>https://amf-adfs.ciz.nl/adfs/oauth2/authorize/</pyAuthCodeURL> 
<pyClientID>3ceadb5c-481e-4e73-9347-96bff086f389</pyClientID> 
<pyClientSecret>	{in}1cmAGcdMEdCs5bC8APnNSb5sjljTw1twykFO3j1zwhbcMmYRpSwIX5PASKIiK/eZ</pyClientSecret> 
<pyTokenRevocationURL/> 
<pyAccessTokenURL>https://amf-adfs.ciz.nl/adfs/oauth2/token/</pyAccessTokenURL> 
<pyGrantType>Authorization code</pyGrantType> 
<pyRedirectURL>https://dev.medewerker.ciz.nl/prweb/PRAuth</pyRedirectURL> 
<pyAccessTokenParameters REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyAccessTokenParameters> 
<pyAuthorizationCodeParameters REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyAuthorizationCodeParameters> 
</pyClientInfo> 
<pyViewScopeList REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>logon_cert</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>openid</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>allatclaims</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="4"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>winhello_cert</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="5"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>user_impersonation</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="6"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>email</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="7"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>profile</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="8"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>aza</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="9"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>vpn_cert</pyValue> 
</rowdata> 
</pyViewScopeList> 
<pxWarningsToDisplay REPEATINGTYPE="PageList"/> 
</pyOpenIDConnect> 
<pySecurityPolicies REPEATINGTYPE="PageList"/> 
<pyPropertyMappings REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-ExtAttributeMapping</pxObjClass> 
<pyExternalAttributeName/> 
<pyPropertyName/> 
</rowdata> 
</pyPropertyMappings> 
<pyExpressionGadget> 
<pxObjClass>PegaGadget-ExpressionBuilder</pxObjClass> 
<pyTemplateInputBox/> 
<pyShowCustomPages>true</pyShowCustomPages> 
<pyShowLocalVariables>false</pyShowLocalVariables> 
<pyShowParameters>true</pyShowParameters> 
<pyEditable>false</pyEditable> 
<pyIsLaunchAsOverlay>false</pyIsLaunchAsOverlay> 
<pyExpressionMapNew REPEATINGTYPE="PropertyGroup"> 
</pyExpressionMapNew> 
</pyExpressionGadget> 
<pyPagesAndClasses REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Code-Pega-Requestor</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>pxRequestor</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-ID</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>OperatorID</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Attributes</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyOperatorAttributes</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="4"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Device</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyOperatorDeviceInformation</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="5"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Attributes</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyUserInfoClaims</pyPagesAndClassesPage> 
</rowdata> 
</pyPagesAndClasses> 
<pySAMLWebSSO> 
<pxObjClass>Data-Admin-Security-SSO-SAML</pxObjClass> 
<pyUseIndexToggle>Location</pyUseIndexToggle> 
</pySAMLWebSSO> 
</pagedata> 
 
2024-08-08 13:00:12,098 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Processing authorization code recieved from OIDC provider  
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth/app/default 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[0] = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[1] = default 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantHash =  
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - StateParam Validation is successful 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Fetching access token using authCode received  
2024-08-08 13:00:12,194 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Successfully fetched accesss token and ID token using authCode  
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Validating ID token received from access token end point eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRyV3d5dDJxTm5GRGNWXzNlbWd3SWNFalNWSSIsImtpZCI6IkRyV3d5dDJxTm5GRGNWXzNlbWd3SWNFalNWSSJ9.eyJhdWQiOiIzY2VhZGI1Yy00ODFlLTRlNzMtOTM0Ny05NmJmZjA4NmYzODkiLCJpc3MiOiJodHRwczovL2FtZi1hZGZzLmNpei5ubC9hZGZzIiwiaWF0IjoxNzIzMTIyMDExLCJuYmYiOjE3MjMxMjIwMTEsImV4cCI6MTcyMzEyNTYxMSwiYXV0aF90aW1lIjoxNzIzMTIxOTk0LCJub25jZSI6ImYzY2Y1ZDFiYmUxZmQxOTA0OWExNThmOGM2OGRiYTk0YmIyOGJhNDg5Zjc2MDNlZGI0MGFmMGY1MjM2YWUyYjIiLCJzdWIiOiIrVEZLMnJTcmVIQ2RmSzdTZERFTlQ2SmhzVnpDQlg1cFRsSVhRaVV4ZXk4PSIsInVuaXF1ZV9uYW1lIjoiQ0laUy1BTUZcXGpyb2Vsb2ZzNSIsInB3ZF9leHAiOiI3MDg0MTY5Iiwic2lkIjoiUy0xLTUtMjEtMjQwMjQ1MzQzMy0xMTE0NzkzNDcxLTE1MjA1MzE3MzgtMTIwMDY0IiwidXBuIjoianJvZWxvZnM1QGFhbm1lbGRmdW5jdGlvbmFsaXRlaXQuc25lZWsuY2l6Lm5sIiwiZW1haWwiOiJqdXVsLnJvZWxvZnNAY2l6Lm5sIiwicm9sZSI6WyJEb21laW5nZWJydWlrZXJzIiwiMTAwMTI5M185OTk5OTkxWm9yZ2Fhbm1lbGRlclZvbGxlZGlnQXBveW9UZXN0IiwiVm9sbGVkaWctQXBveW8tVGVzdCIsIkFQT1lPX1RFU1RfVm9sbGVkaWciXSwiYXBwdHlwZSI6IkNvbmZpZGVudGlhbCIsImFwcGlkIjoiM2NlYWRiNWMtNDgxZS00ZTczLTkzNDctOTZiZmYwODZmMzg5IiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIiwic2NwIjoicHJvZmlsZSBlbWFpbCBvcGVuaWQifQ.knHcS0WApXxtSCRDps6Pgw5efFbJfAL4m2pNX8NT0BxAt-JEtveZrq3XIbtfySaL7Wx1h1v6lcJHhXF2kXomsXaJZP2VCIRGvrnnYhnBVRJObmPVocsS39-E_BtdMCxt4FUVM_gYV9GTktu_ye71TbAftIpbS0HIs0gnXlCrNTdpHoVn3pRyVHiABUj9Rsm6fE1DtRt_OgX0FP8KfZqzQwpagDsu7D7fbfAkWGM-crf1x3NGkW-E4_L3LUdtvGbnvxsW3qJJ__M-8plktukGhS-86zWXTEN4Z17cLhTyrMCKo62_m1PDnU_-Y2Fv3FxpnmBxdBuew0DWh-CEjyLYnw 
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (h.oidc.NimbusOIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - JWT is Signed 
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (h.oidc.NimbusOIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Truststore picked is KS_ADFS_1598_OIDCCertStore 
2024-08-08 13:00:12,243 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Succesfully validated ID token with standard claims  
2024-08-08 13:00:12,244 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Retrieving userInfo claims from user info Endpoint  
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Fetch operator from claim {email} from received ID token claims 
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) ERROR dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Exception is thrown for OIDC flow com.pega.pegarules.pub.PRRuntimeException: Unable to derive claim "email" from id token for operator establishment 
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (ernal.mgmt.SecurityEventLogger) INFO  dev.medewerker.ciz.nl| Proprietary information hidden:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - {"appName":"CIZAuth_20230106T130751255","eventCategory":"Authentication event","eventType":"Login","id":"a44fad58-6056-4f24-8889-435ba7ff1022","ipAddress":" Proprietary information hidden:51364","message":"Open ID ConnectConnect Flow failed, AuthService : ADFS, ErrorMessage : Unable to derive claim \"email\" from id token for operator establishment","nodeID":"pega-dev-web-5567cd48-xfdzf","outcome":"Failure","tenantID":"shared","timeStamp":"Thu 2024 Aug 08, 13:00:12:315"} 

 

Show Less
***Edited by Moderator Marissa to add Capability tags***
***Edited by Moderator Marije to add closed INC-B33050 ***
·
To see attachments, please log in.
Pega Platform 8.8.5
Data Integration
Lead System Architect
Support Case Created

  • Reply

Accepted Solution

Posted: 3 months ago
Updated: 3 months ago
Posted: 6 Nov 2024 12:52 EST
Updated: 6 Nov 2024 13:05 EST
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

I searched and found that the original poster logged INC-B33050 with our support team.  That ticket was closed with the following investigation summary:

Description:

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Is there is another way to solve 

Solution type description:

Configuration of Userinfo endpoint was causing the issue that not all the claims part of token were available. 

From the historcial cases when the Userinfo endpoint is configured it seems that not all the claims part of token are available and can be used according to the requirements.

Once this config is removed then all the claims are available.

A follow-on ticket  INC-B34571 was logged to resolve the below;

Description

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Please correct me if i am wrong and there is another way to solve this problem

Solution description:

Show More

I searched and found that the original poster logged INC-B33050 with our support team.  That ticket was closed with the following investigation summary:

Description:

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Is there is another way to solve 

Solution type description:

Configuration of Userinfo endpoint was causing the issue that not all the claims part of token were available. 

From the historcial cases when the Userinfo endpoint is configured it seems that not all the claims part of token are available and can be used according to the requirements.

Once this config is removed then all the claims are available.

A follow-on ticket  INC-B34571 was logged to resolve the below;

Description

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Please correct me if i am wrong and there is another way to solve this problem

Solution description:

Suggested client to use D_pzSSOAttributes, as an alternative to D_pyUserInfoClaims since D_pzSSOAttributes data page should contain the claims information that could be used in the post authentication activity.

@BernardM7769   As this is an old post and not related to the original poster's question, please log a support incident via the msp and let us know the INC id here so we can help track it.

Show Less
To see attachments, please log in.

Accepted Solution

Posted: 3 months ago
Updated: 3 months ago
Posted: 6 Nov 2024 12:52 EST
Updated: 6 Nov 2024 13:05 EST
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

I searched and found that the original poster logged INC-B33050 with our support team.  That ticket was closed with the following investigation summary:

Description:

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Is there is another way to solve 

Solution type description:

Configuration of Userinfo endpoint was causing the issue that not all the claims part of token were available. 

From the historcial cases when the Userinfo endpoint is configured it seems that not all the claims part of token are available and can be used according to the requirements.

Once this config is removed then all the claims are available.

A follow-on ticket  INC-B34571 was logged to resolve the below;

Description

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Please correct me if i am wrong and there is another way to solve this problem

Solution description:

Show More

I searched and found that the original poster logged INC-B33050 with our support team.  That ticket was closed with the following investigation summary:

Description:

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Is there is another way to solve 

Solution type description:

Configuration of Userinfo endpoint was causing the issue that not all the claims part of token were available. 

From the historcial cases when the Userinfo endpoint is configured it seems that not all the claims part of token are available and can be used according to the requirements.

Once this config is removed then all the claims are available.

A follow-on ticket  INC-B34571 was logged to resolve the below;

Description

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Please correct me if i am wrong and there is another way to solve this problem

Solution description:

Suggested client to use D_pzSSOAttributes, as an alternative to D_pyUserInfoClaims since D_pzSSOAttributes data page should contain the claims information that could be used in the post authentication activity.

@BernardM7769   As this is an old post and not related to the original poster's question, please log a support incident via the msp and let us know the INC id here so we can help track it.

Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice