Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Logging out from SSO throws error

SA-37604

Summary



When logging out from SSO URL an error message is thrown and logout from PRPC does not happen.



Error Messages



at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.step8_circum0(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:952)
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.perform(ra_action_samlsinglelogoff_b1b75b9698031825fd1ff81a0d19cc2e.java:210)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10711)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.step1_circum0(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:304)
at com.pegarules.generated.activity.ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.perform(ra_action_logoff_c4d53feaed27a894ed216db64794fc8c.java:70)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
... 50 more
Caused by: java.security.SignatureException: Signature encoding error
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:204)
at java.security.Signature$Delegate.engineVerify(Signature.java:1217)
at java.security.Signature.verify(Signature.java:651)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLRedirectBindingHandler.verify(SAMLRedirectBindingHandler.java:146)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processLogoutResponse(PRSAMLv2Utils.java:1169)
... 58 more
Caused by: java.io.IOException: ObjectIdentifier mismatch: xxx
at sun.security.rsa.RSASignature.decodeSignature(RSASignature.java:235)
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:195)
... 62 more

Steps to Reproduce



1. Configure SAML with IDP.
2. Try to logout from the SSO URL, throws the error.


Root Cause



A defect or configuration issue in the operating environment.

On tracing the SAML requests and responses, found that the request from SP to IDP was using the RSASHA1 and from IDP response was being sent using RSASHA256.

Resolution



Perform the following local-change:

At the IDP end the signature algorithm in keystore was re-generated with RSASHA1 so that the requests and response algorithms matches.

Also user is suggested to perform the save-as of the Out-of-the-box (OOTB) HTML rule "web-session-return" and to customize it to have the appropriate information on the logout screen.

Published May 18, 2017 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us