SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.
SR-D75498 · Issue 545068
Resolved null-pointer exception for Token based Authenticated Rest
Resolved in Pega Version 8.3.3
When logging in with auth0 OIDC auth service and then trying to use connect-Rest with an authentication profile using an auth0 provider, a null pointer error was generated indicating connect-Rest could not find the Access token. Even thought the Authentication service (OIDC) and authentication profile (authorization grant) both had the same scopes (“openid profile email”), OIDC flow and authentication profile save the Access Token with different scopes. Specifically, OIDC saves the token with an extra trailing space. Handling has been added to correct this.
SR-D92837 · Issue 551004
SameSite cookie setting updated for pre-authentication
Resolved in Pega Version 8.3.3
In work done in previous versions to modify the SameSite cookie handling to support Mashups in Google Chrome v80+, SameSite was set to None only in case of an authenticated Pega-RULES cookie and not for a Pre-authenticated cookie. That caused the Samesite value to not be set when using a pre-authenticated cookie, and the blank value was treated as 'Lax', causing a login challenge. To resolve this, Samesite will be set to 'None' when using pre-authenticated cookie, which will match the way it is being set in authenticated cookie.
SR-D90452 · Issue 551808
SSOPreAuthenticationActivity runs until success
Resolved in Pega Version 8.3.3
When a user visited a public-facing application via a Single Sign-On (SSO) URL that redirected to SAML IDP for authentication, the first time the URL was hit the system correctly executed pySSOPreAuthenticationActivity as part of pre-authentication to determine if authentication is possible/allowed. If the pySSOPreAuthenticationActivity set the pyAuthenticationPolicyResult to 'false', authentication was not allowed: the user was not redirected to the IDP and an error message was shown. However, if the same URL is hit again after that rejection without any changes, the user was redirected to the IDP for authentication because the preauthentication activity was not run again. This has been resolved by updating the system to continue to call the pre-authentication activity for the SSO URL until a success status is returned by the activity.