SA-17023

Summary

SAML SSO with PING as Identity Provider has been configured. PING is not maintaining any user sessions so there is no Single Logout (SLO) URL from Identity provider side.

Pega rule left the optional logout URL as blank as PING is not providing it. User is able to login successfully into PING but  getting exception when trying to logout.

Error Messages

Caused by: com.pega.pegarules.pub.PRRuntimeException: Unable to build Logout Request. No value specified for the Single Logout location
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.createLogoutRequest(PRSAMLv2Utils.java:632)
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.step2_circum0(ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.java:577)
at com.pegarules.generated.activity.ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.perform(ra_action_samlsinglelogoff_7f522b9d11795aee0c0027cdd7fefd15.java:92)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10450)
at com.pegarules.generated.activity.ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.step1_circum0(ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.java:306)
at com.pegarules.generated.activity.ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.perform(ra_action_logoff_839a0c73dcf8877a207e2f6af1689868.java:69)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10450)
at com.pegarules.generated.activity.ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.step1_circum0(ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.java:167)
at com.pegarules.generated.activity.ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.perform(ra_action_logoff_c3a380c4735f758f4daa6ad0d7866271.java:69)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:641)
... 57 more

Steps to Reproduce

1. Login to Pega using Single Sign-on (SSO) URL with PING as the identity provider.
2. After successful login, click Log Off link.

Root Cause

A defect in Pegasystems’ code or rules.  The code is assuming that SAML logout is providing a SLO.  

Resolution

To work around the issue switch to Out-of -the-box (OOTB) logoff.  However, the logoff action when using SSO may take users directly back into PRPC. This is because of a Meta Redirect in the Web-Session-Return that when not using SSO simply takes the user back to the PRPC login screen. When using SSO this will trigger the Data-Admin-AuthService login activity to run again and if still logged into a third party SSO application will then trigger authentication and take the user back into PRPC. 

To resolve this simply modify the Meta Redirect from the Web-Session-Return HTML rule. This requires having a custom unauthenticated AccessGroup and RuleSet defined and specified in the system's Data-Admin-Requestor Browser instance. This is required because when Web-Session-Return is run the user is unauthenticated. 

Perform the following local-change: 

1. Save the Code-Security Logoff activity to application specific ruleset and comment out the first step in the activity so that it does not call the Code-Security SAMLSingleLogOff activity.  
2. Save the @baseclass Web-Session-Return HTML to application specific ruleset and remove or replace this line with custom logoff URL.
    <META http-equiv="refresh" content="0;URL=<pega:reference name="$save(servURL)" />">