Support Article
SAML response NameID not read from the external SAML response
SA-73862
Summary
On configuring SAML Authorization - MTSSAMLLogin, the single sign-on (SSO) configuration works correctly. The SSO redirects to the Identiry Provider (IdP) and the IdP sends a response back to the applicatoin with the correct response with the NameID. However, the application fails to read the SAML response NameID from the external SAML response.
Error Messages
com.pega.pegarules.pub.PRRuntimeException: Unable to derive attribute (NameID) from SAML assertion for operator establishment at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLHandler.resolveSourceValue(SAMLHandler.java:93) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:125) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:65) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.authenticate(SAMLResponseHandler.java:53) ~[printegrint.jar:?] at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRAuth.authenticateOperator(SchemePRAuth.java:723) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.doAuthentication(Authentication.java:489) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.performAuthentication(HTTPAuthenticationHandler.java:251) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.doHttpReqAuthentication(HTTPAuthenticationHandler.java:94) ~[prprivate.jar:?] at
com.pega.pegarules.pub.PRRuntimeException: Cannot retrieve operator from NameID element as NameID format is urn:oasis:names:tc: SAML:2.0:nameid-format:persistent
Steps to Reproduce
Click the SSO URL. This redirects to the Pega login failure page.
Root Cause
NameID type was specified as Persistent at the IdP end which is not supported in Pega. Hence the authentication did not occur.
Resolution
Perform the following local-change:
Change the NameID type to a different format at the IdP to use the 'Name identifier in the Subject' option while mapping the operator.
Published February 22, 2019 - Updated December 2, 2021
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.