Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Bill Chan (BillC931)
Atesis Pty Ltd

Atesis Pty Ltd
AU
BillC931 Member since 2017 3 posts
Atesis Pty Ltd
Posted: Mar 9, 2018
Last activity: Apr 27, 2018
Posted: 9 Mar 2018 23:46 EST
Last activity: 27 Apr 2018 16:20 EDT
Closed
Solved

SAML WebSSO SHA1 issue with ADFS

Hi,

I am trying to configure Desktop SSO between Pega(SP) and ADFS(IDP) but getting the following error:
Unable to process the SAML WebSSO request : The Response did not contain any Authentication Statement that matched the Subject Confirmation criteria

I can see in the logs that the SAML Web SSO Authentication Activity (Step: AuthService.pySAMLWebSSO) is generating a SAML request with a SHA1 signature:
Generated authentication request : <saml2p:AuthnRequest....<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

But ADFS is generating a SHA256 signature method response.

Is there any way to configure Pega such that it uses a "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" signature method algorithm?

The method samlutils.createAuthenticationRequest passes in a Data-Admin-Security-SSO-SAML class type, but there is no property to set the signature method algorithm.

Thanks,

Bill

***Updated by moderator: Lochan to tag SR to post***

To see attachments, please log in.
Security
Support Case Created

Accepted Solution

Posted: 6 years ago
Posted: 27 Apr 2018 16:20 EDT
Marissa Rogers (MarissaRogers)
MOD
Principal Knowledge Management Specialist
Pegasystems Inc.
US

Upon reviewing the associated SR, SA-55228 was generated as the resolution.

If you have the same question, please check out "ADFS does not recognize Pega SAML request signature" to resolve this for you.

To see attachments, please log in.
Posted: 6 years ago
Posted: 12 Mar 2018 16:46 EDT
Bill Chan (BillC931)
Atesis Pty Ltd

Atesis Pty Ltd
AU

As a test, we updated the signature algorithm in ADFS to SHA1 and were able to authenticate. However, we need to support SHA256 in production.

To see attachments, please log in.
Posted: 6 years ago
Posted: 13 Mar 2018 6:02 EDT
Santhosh Bagannagari (bagas)
Pegasystems Inc.
Tech Lead, Security Engineering
Pegasystems Inc.
IN

Hi,

I don't think there is a way to change the signature algorithm. Can you please share your pega platform version details ?

Regards,

Santhosh

To see attachments, please log in.
Posted: 6 years ago
Posted: 21 Mar 2018 2:40 EDT
Bill Chan (BillC329)
Department of Environment

Department of Environment
AU

We are on Pega Cloud 7.3.1. There is a bug in the product. We got this response from Pega:

Here is an existing hotfix-42004 as DL-83609.
Made required code changes in sign() method of SAMLPostBindingHandler.java.
previously signature algorithm was hard coded. Now we we get signature algorithm from SP certificate.
(Please use RSA-SHA256 algorithm for SP certificate)
Please install the DL file by hotfix manager and restart is required.

However, this has only partially resolved the issue. We also need a fix for the logout request. Currently with Pega support. Will post the update when I hear back from them.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice