Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Interaction with SSO differs depending on action in CPM

SA-490

Summary



When eworkflow (which is sso enabled) and another sso application share the same browser session we are seeing errors in eworkflow when the other application either times out from the sso perspective or the user logs out of that sso application. Within Ameriprise the sso applications in the same browser share the SMSession. So, when you log out of one and try to accesss functionality in another (eworkflow in this case) you should be challenged for your sso id and password. That does happen when some options are clicked on in eworkflow, but when the "phone" option is selected, errors result.

Error Messages



No real error message seen by users, just busy indicator or "AJAX Request  failed" Javascript alert.

I have included the pega logs (rules, alert, cti), webserver logs, including a trace file, from the webservers and httpwatch traces from a working situation (clipboard) and the non-working (phone). What I need to understand is why I get differrent results when I click on clipboard than when I click on phone.

There are two files for both "clipboard", which is the working scenario and "Phone", which is the error sitaution. The ones with "relogin" in the names contain all of the information of the other, plus tracing for when I logged in after closing the session.



Steps to Reproduce



1. log into eworkflow as a phones user.
2. in the same browser (new tab), log into another SSO protected application.
3. log out of that second sso application
4. Click on "phone" within eworkflow. You will get a message box. WHen you click ok, you will get a failure message. When you log out and back in you will get the red X.

If you do the same steps above, but select "clipboard" (or anything other than phone) you will get the sso challenge correctly


Root Cause



The root cause of this problem is in a third-party product integrated with PRPC. 


A user is logging out of Siteminder on one application and that is clearing their authentication to all applications. So, if the next request from the other PRPC session open in another browser tab is an AJAX request the response will be the Siteminder login screen, after some redirection etc. We can't process those type of responses in our AJAX layer at this time.

We usually use the pxSessionTimer  for handling of idle timeouts with SSO based 3rd party security software. The pxSessionTimer puts the SSO authentication screen into a popup window so that the full PRPC portal keeps the current user location in the UI the same. This also avoids any PRPC AJAX requests from getting an idle timeout response, containing the login screen for example, from a third part SSO application like Siteminder.





 
Suggest Edit

Published June 12, 2015 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us