SAML Auth no match Error message
Hi All,
We are trying to implement SAML 2.0 Authentication and have got it working just fine. The problem is when we get no match for model operator due to user not having correct AD Group (ADFS Claim) attribute we don't see a proper message only Error contact system administrator.
In the logs we see the following partial entry
Hi All,
We are trying to implement SAML 2.0 Authentication and have got it working just fine. The problem is when we get no match for model operator due to user not having correct AD Group (ADFS Claim) attribute we don't see a proper message only Error contact system administrator.
In the logs we see the following partial entry
Invalid Division for Operator:
2022-04-04 15:12:33,864 [sse-nio-8443-exec-39] [ STANDARD] [ ] [ G2GDCM:01.01.02] (ngineinterface.service.HttpAPI) ERROR coeweb-kn-t1.systems.private| Proprietary information hidden HVB6O8AXOXTZ6884PGM7Z4OFJHRAD55A5A - Proprietary information hidden: com.pega.pegarules.pub.clipboard.InvalidParameterException
com.pega.pegarules.pub.clipboard.InvalidParameterException: cannot be null. page: OrgDivision. Details: Invalid value for aSource passed to com.pega.pegarules.data.internal.clipboard.ClipboardPageImpl.replace(ClipboardPage)
at com.pega.pegarules.data.internal.clipboard.ClipboardPageBase.replace(ClipboardPageBase.java:1446) ~[prprivate-data.jar:?]
at com.pega.pegarules.data.internal.clipboard.ClipboardPageImpl.replace(ClipboardPageImpl.java:115) ~[prprivate-data.jar:?]
at com.pega.pegarules.session.internal.authorization.AuthorizationUtils.setupDivision(AuthorizationUtils.java:777) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.authorization.AuthorizationUtils.establishOperatorContext(AuthorizationUtils.java:898) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.initializeUser(Authentication.java:2207) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.initializeUser(Authentication.java:2168) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.doAuthentication(Authentication.java:603) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.performAuthentication(HTTPAuthenticationHandler.java:257) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.doHttpReqAuthentication(HTTPAuthenticationHandler.java:100) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.handleAuthentication(HttpAPI.java:2927) ~[prprivate-session.jar:?]
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.activityExecutionProlog(EngineAPI.java:617) ~[prenginext.jar:?]
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:443) ~[prenginext.jar:?]
at sun.reflect.GeneratedMethodAccessor228.invoke(Unknown Source) ~[?:?]
I'm using Set operator context using by name and have a simple datapage D_ModelUser.pyUserIdentifier being populated via a data transform as per the pega example https://docs-previous.pega.com/provisioning-operator-using-data-transform
Which works when the attribute has a match but causes the above error when it doesn't. Should we be see something more descriptive like "Unable to derive operator from SAML assertion" or unauthorised?
Also other thing I've witnessed whilst trying this out, when using "By organization hierarchy" and specifying correct Org, Div & Unit we get another error message
2022-04-04 16:25:14,481 [sse-nio-8443-exec-38] [ STANDARD] [ ] [ G2GDCM:01.01.02] (ternal.auth.AbstractSSOHandler) ERROR coeweb-kn-t1.systems.private| Proprietary information hidden|RelayStateID: 39ca0d37-d7ea-49bb-99f9-0fe14cc429ab :RelayStateID HAYD57QGOA393OZ1WRQFDIGTGB6SBFDTQA - Exception during operator provisioning
com.pega.pegarules.pub.PRRuntimeException: Unable to derive attribute (<ORG>) from SAML assertion for operator establishment
at com.pega.pegarules.integration.engine.internal.auth.ExpressionHelper.getAttributeValue(ExpressionHelper.java:335) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.ExpressionHelper.getClaimOrAttributeValue(ExpressionHelper.java:440) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.ExpressionHelper.resolveSingleValue(ExpressionHelper.java:403) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.AbstractSSOHandler.resolveSourceValue(AbstractSSOHandler.java:159) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.AbstractSSOHandler.operatorProvisioning(AbstractSSOHandler.java:85) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:199) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:79) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.auth.saml.SAMLResponseHandler.authenticate(SAMLResponseHandler.java:63) ~[printegrint.jar:?]
Even though the specified Org structure exists and model operator is assigned correctly.
Any one know what we need to do here?
Thanks Craig
***Edited by Moderator Marije to add Capability tags***