Support Article

Logging out from SSO throws error

SA-37604

Summary



When logging out from SSO URL an error message is thrown and logout from PRPC does not happen.



Error Messages



at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.step8_circum0(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:952)
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.perform(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:210)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10711)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.step1_circum0(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:304)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.perform(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:70)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
... 50 more
Caused by: java.security.SignatureException: Signature encoding error
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:204)
at java.security.Signature$Delegate.engineVerify(Signature.java:1217)
at java.security.Signature.verify(Signature.java:651)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLRedirectBindingHandler.verify(SAMLRedirectBindingHandler.java:146)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processLogoutResponse(PRSAMLv2Utils.java:1169)
... 58 more
Caused by: java.io.IOException: ObjectIdentifier mismatch: xxx
at sun.security.rsa.RSASignature.decodeSignature(RSASignature.java:235)
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:195)
... 62 more

Steps to Reproduce



1. Configure SAML with IDP.
2. Try to logout from the SSO URL, throws the error.


Root Cause



A defect or configuration issue in the operating environment.

On tracing the SAML requests and responses, found that the request from SP to IDP was using the RSASHA1 and from IDP response was being sent using RSASHA256.

Resolution



Perform the following local-change:

At the IDP end the signature algorithm in keystore was re-generated with RSASHA1 so that the requests and response algorithms matches.

Also user is suggested to perform the save-as of the Out-of-the-box (OOTB) HTML rule "web-session-return" and to customize it to have the appropriate information on the logout screen.

Published May 8, 2017 - Updated May 18, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.