Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Logout error with SAML authentication

SA-35144

Summary



An error is encountered during logout with SAML authentication. The user does not appear to be fully logged out of the system.


Error Messages



Error on screen:
"Unable to process the SAML WebSSO request : Unable to build SAML2 Authentication request : java.security.KeyStore$TrustedCertificateEntry incompatible with java.security.KeyStore$PrivateKeyEntry"

Error in logs:
2017-03-09 09:29:37,029 [ WebContainer : 6] [ STANDARD] [ ] [ Your_App:01.01.01] (nActivity.Code_Security.Action) ERROR your_server|127.0.0.1 - Error while executing the Authentication Service activity : Unable to build SAML2 Authentication request : java.security.KeyStore$TrustedCertificateEntry incompatible with java.security.KeyStore$PrivateKeyEntry


Steps to Reproduce

  1. Login to Pega using SAML SSO
  2. Once successfully logged in, click the link to log off


Root Cause



An issue in the custom application code or rules: The logoff process had been customized because the SAML IDP does not perform logoff based on this Support Article: https://pdn.pega.com/support-articles/logout-when-idp-does-not-provide-slo-failing-0 Because of this customization, the standard "Logoff" activity was being used. However, the standard Logoff activity does a meta refresh right back to the Pega engine, and this was leading to a failed SAML authentication attempt after logoff.

Resolution



Perform the following local-change: Customize the Web-Session-Return HTML rule to perform a meta refresh to a custom URL, and not back to Pega. Be sure to save the rule to a ruleset that is accessible to unauthenticated users.
Suggest Edit

Published March 26, 2017 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us