Support Article
Logging out from SSO throws error
SA-37604
Summary
When logging out from SSO URL an error message is thrown and logout from PRPC does not happen.

Error Messages
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.step8_circum0(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:952)
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.perform(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:210)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10711)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.step1_circum0(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:304)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.perform(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:70)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
... 50 more
Caused by: java.security.SignatureException: Signature encoding error
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:204)
at java.security.Signature$Delegate.engineVerify(Signature.java:1217)
at java.security.Signature.verify(Signature.java:651)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLRedirectBindingHandler.verify(SAMLRedirectBindingHandler.java:146)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processLogoutResponse(PRSAMLv2Utils.java:1169)
... 58 more
Caused by: java.io.IOException: ObjectIdentifier mismatch: xxx
at sun.security.rsa.RSASignature.decodeSignature(RSASignature.java:235)
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:195)
... 62 more
Steps to Reproduce
1. Configure SAML with IDP.
2. Try to logout from the SSO URL, throws the error.
Root Cause
A defect or configuration issue in the operating environment.
On tracing the SAML requests and responses, found that the request from SP to IDP was using the RSASHA1 and from IDP response was being sent using RSASHA256.
Resolution
Perform the following local-change:
At the IDP end the signature algorithm in keystore was re-generated with RSASHA1 so that the requests and response algorithms matches.
Also user is suggested to perform the save-as of the Out-of-the-box (OOTB) HTML rule "web-session-return" and to customize it to have the appropriate information on the logout screen.
Published May 18, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.