Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Tamas Zakar (TamasZ28)
NN Biztosító Zrt

NN Biztosító Zrt
HU
TamasZ28 Member since 2015 2 posts
NN Biztosító Zrt
Posted: Mar 16, 2016
Last activity: Mar 17, 2016
Posted: 16 Mar 2016 6:56 EDT
Last activity: 17 Mar 2016 8:37 EDT
Closed
Solved

setting SSO usign ADFS

Hi,

Please help me in setting SSO in Pega 7.1.7 using SAML2 with MS ADFS as IdP.

 

I created an Authentication Service in Pega called SAMLAuth1 and our AD admin could add the PEGA server as a trust relay party at ADFS server using the SP metadata from Pega.

I could imported the IdP metadata from ADFS to our Pega server too.

Show More

Hi,

Please help me in setting SSO in Pega 7.1.7 using SAML2 with MS ADFS as IdP.

 

I created an Authentication Service in Pega called SAMLAuth1 and our AD admin could add the PEGA server as a trust relay party at ADFS server using the SP metadata from Pega.

I could imported the IdP metadata from ADFS to our Pega server too.

But after I tried to log in our Pega /prweb/sso1 url I redirected to our ADFS server and got error message. On Pega log I did not see any error message.

I tried with SAML tracer Firefox plugin, and there was only SAML AuthnRequest message and no response.

Could you help me with some screenshots how the ADFS side should be configured? Should it be work with 7.1.7 version of Pega?

At ADFS side there was this error message in the log:

Exception details: 

System.Xml.XmlException: MSIS0018: The SAML protocol message cannot be read because it contains data that is not valid. ---> System.ArgumentException: ID4128: The value is not a valid SAML ID.

Parameter name: value ---> System.Xml.XmlException: The '/' character, hexadecimal value 0x2F, cannot be included in a name.
   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpPostSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


System.ArgumentException: ID4128: The value is not a valid SAML ID.

Parameter name: value ---> System.Xml.XmlException: The '/' character, hexadecimal value 0x2F, cannot be included in a name.
   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadCommonAttributes(XmlReader reader, SamlMessage message)


System.Xml.XmlException: The '/' character, hexadecimal value 0x2F, cannot be included in a name.

   at System.Xml.XmlConvert.VerifyNCName(String name, ExceptionType exceptionType)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2Id..ctor(String value)

Show Less
To see attachments, please log in.
Security

Posted: 8 years ago
Posted: 16 Mar 2016 8:15 EDT
Kevin Zheng (KevinZheng_GCS)
PEGA
Director, Technical Support
Pegasystems Inc.
US

Please attach your hotfix inventory (using hotfix manager). We will review if you system is up to date. If necessary, we will advise for a SR.

To see attachments, please log in.
Posted: 8 years ago
Posted: 16 Mar 2016 9:04 EDT
Tamas Zakar (TamasZ28)
NN Biztosító Zrt

NN Biztosító Zrt
HU

Hi Kevin, we have installed 2 hotfixes. I attached screenshot. I have downloaded the inventory also, but I don't know how could I attach zip file here.

hotfixes.jpg

To see attachments, please log in.
Posted: 8 years ago
Posted: 16 Mar 2016 11:00 EDT
Vidyaranjan AV (Vidyaranjan) Senior Online Community Moderator
Pegasystems Inc.
IN

Hi Tamas Zakar,

Once you go ahead creating an SR for this question, please feel free to share the SR number here so that we can track it for you within the thread.

Thanks!

Vidyaranjan A V  |  Community Moderator  |  Pegasystems Inc.

To see attachments, please log in.
Posted: 8 years ago
Posted: 17 Mar 2016 5:55 EDT
Tamas Zakar (TamasZ28)
NN Biztosító Zrt

NN Biztosító Zrt
HU

Hi,

After I received the hotfix from Pega support and installed to our server I have different problem:

I got "Unable to process the SAML WebSSO request : Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Failed to decrypt EncryptedData" error at Pega side.

In the SAML tracer I see both of the request and response now.

The Pega server log contains these errors:

org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData

at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535)

at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)

at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)

at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)

at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)

at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:139)

... 61 more

Regards,

Tamas

To see attachments, please log in.
Posted: 8 years ago
Posted: 17 Mar 2016 8:37 EDT
Tamas Zakar (TamasZ28)
NN Biztosító Zrt

NN Biztosító Zrt
HU

Hi Kevin,

Thanks, after I installed Java Cryptography Extension to our server this error message disappeared.

Now I have to map the user attributes received through SAML...

Regards,

Tamas

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice