Support Article

Logging out from SSO throws error



When logging out from SSO URL an error message is thrown and logout from PRPC does not happen.

Error Messages

at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.step8_circum0(
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.perform(
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.step1_circum0(
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.perform(
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(
... 50 more
Caused by: Signature encoding error
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLRedirectBindingHandler.verify(
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processLogoutResponse(
... 58 more
Caused by: ObjectIdentifier mismatch: xxx
... 62 more

Steps to Reproduce

1. Configure SAML with IDP.
2. Try to logout from the SSO URL, throws the error.

Root Cause

A defect or configuration issue in the operating environment.

On tracing the SAML requests and responses, found that the request from SP to IDP was using the RSASHA1 and from IDP response was being sent using RSASHA256.


Perform the following local-change:

At the IDP end the signature algorithm in keystore was re-generated with RSASHA1 so that the requests and response algorithms matches.

Also user is suggested to perform the save-as of the Out-of-the-box (OOTB) HTML rule "web-session-return" and to customize it to have the appropriate information on the logout screen.

Published May 8, 2017 - Updated May 18, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.