Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

LogOff after Authentication Timeout

SA-72887

Summary



In a system with Single Sign-On (SSO) authentication, users are configured to logoff after inactivity. Hence, the user must be directed to the Sign out URL as returned by the Web-Session-Return.
The Timeout seconds is set in the access group. This is set to invoke a Logoff activity as timeout in the authentication service. However, on invoking the activity, errors are generated in the log and error displays on the screen.


Error Messages



There has been an issue: please consult your system administrator.

[jsse-nio-8986-exec-8] [STANDARD] [shared] [ ] (ngineinterface.service.HttpAPI) ERROR com.pega.pegarules.pub.PRRuntimeException
com.pega.pegarules.pub.PRRuntimeException: No failure response set by custom authentication activity 
at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRCustom.onAuthenticationFailure(SchemePRCustom.java:975) ~[prprivate.jar:?] 
at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.doAuthentication(Authentication.java:770) ~[prprivate.jar:?] 
at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.performAuthentication(HTTPAuthenticationHandler.java:250) ~[prprivate.jar:?] 
at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.doHttpReqAuthentication(HTTPAuthenticationHandler.java:94) ~[prprivate.jar:?] 
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.handleAuthentication(HttpAPI.java:2327) ~[prprivate.jar:?] 
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.activityExecutionProlog(EngineAPI.java:576) ~[prenginext.jar:?] 
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:415) ~[prenginext.jar:?] 
at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source) ~[?:?] 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_172]



Steps to Reproduce

  1. Add an authentication timeout in the Advanced tab of the access group (for example, 180 seconds).
  2. Add a LogOff as the Timeout activity in the Authentication service for SSO.
  3. Log in to the system.
  4. Wait for 180 seconds.
  5. Perform any activity.


Root Cause



The issue occurred when the PRCustom authentication invoked the Code-Security.Logoff directly from the Timeout activity or specified the Code-Security.Logoff as the Timeout activity. The Timeout activity works similar to how the Login activity works with the Required response parameters.


Resolution



For custom authentication, use a SessionTimer to handle auto logoff when users are idle.

A good usage of the Timeout activity to manage log off is to close the browser tab without logging off while there may be other open tabs.

For this usecase, the Timeout activity must perform the following:
  1. Property-Set 

    param.pyChallenge = @java("PRAuthentication.GENERATED_CHALLENGE_STREAM")
    param.pyFailMessage = ""

     
  2. Show-HTML

    RedirectToLogoff

    HTML For RedirectToLogoff:

    <!DOCTYPE html>
    <html>
      <head>
        <pega:include name='pzPortalIcon' type='Rule-HTML-Fragment'/>
        <meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
        <title>
          <pega:lookup property="pxRequestor.pyCaption" value="You have just left PegaRULES" />
        </title>

        <pega:choose>
          <pega:when test="pxProcess.pxCsrfMitigation == false">
            <pega:save name="servURL" ref="pxThread.pxReqURI"/>
          </pega:when>
          <pega:otherwise>
            <pega:save name="servURL" append="/"/>
            <pega:save name="servURL" appendRef="pxRequestor.pxReqContextName"/>
            <pega:save name="servURL" append="/"/>
            <pega:save name="servURL" appendRef="pxRequestor.pxReqServletNameReal"/>
          </pega:otherwise>
        </pega:choose>
      
        <META http-equiv="refresh" content="0;URL=<pega:reference name="$save(servURL)" />?pyActivity=Code-Security.Logoff">
          
       </head>

    <body>
    </body>
    </html>

     
  3. Set the AccessGroup Timeout such that it is larger than the SessionTimer timeout. 

    When the user returns to the session in a new browser tab and a timeout has occurred, the user is redirected to the logoff activity and the session is removed.

Published August 19, 2019 - Updated December 2, 2021

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us