Support Article
Logout error with SAML authentication
SA-35144
Summary
An error is encountered during logout with SAML authentication. The user does not appear to be fully logged out of the system.
Error Messages
Error on screen:
"Unable to process the SAML WebSSO request : Unable to build SAML2 Authentication request : java.security.KeyStore$TrustedCertificateEntry incompatible with java.security.KeyStore$PrivateKeyEntry"
Error in logs:
2017-03-09 09:29:37,029 [ WebContainer : 6] [ STANDARD] [ ] [ Your_App:01.01.01] (nActivity.Code_Security.Action) ERROR your_server|127.0.0.1 - Error while executing the Authentication Service activity : Unable to build SAML2 Authentication request : java.security.KeyStore$TrustedCertificateEntry incompatible with java.security.KeyStore$PrivateKeyEntry
Steps to Reproduce
- Login to Pega using SAML SSO
- Once successfully logged in, click the link to log off
Root Cause
An issue in the custom application code or rules: The logoff process had been customized because the SAML IDP does not perform logoff based on this Support Article: https://pdn.pega.com/support-articles/logout-when-idp-does-not-provide-slo-failing-0 Because of this customization, the standard "Logoff" activity was being used. However, the standard Logoff activity does a meta refresh right back to the Pega engine, and this was leading to a failed SAML authentication attempt after logoff.
Resolution
Perform the following local-change: Customize the Web-Session-Return HTML rule to perform a meta refresh to a custom URL, and not back to Pega. Be sure to save the rule to a ruleset that is accessible to unauthenticated users.
Published March 26, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.