Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Requestors not being unauthenticated through logoff



The current authentication method of SAML 2.0 takes a slightly different path when a user clicks LogOff from either a User Portal, Designer Studio Portal or from a Launched User Portal from Designer Studio.

Marking the requestor as unauthenticated when the logoff screen is presented is not working.

Internally, Pega marks a requestor as active during logon or connection and should be marking the same requestor as deactivated and unauthenticated if logoff is clicked.

However, if a launched portal is opened, the logoff link should be closing that window or tab and leaving the Designer Studio still active and only unauthenticating the Designer Studio session when the logoff link is clicked.

Error Messages

Not Applicable

Steps to Reproduce

  1. Log into Pega 7.3.1 environment with a Developer Access user account which is configured to use both Internal PRPC Authentication & SAML Authentication.
    Test 1: Click on Logoff – one cannot see the logoff HTML page
    Test 2: Open another session and then launch a user portal. Click logoff from the launched portal – window is closed, and the developer session is still active.
    Test 3: Click on Logoff from the developer portal, and one cannot see the logoff HTML page, but will see an exception instead
  2. When log out is performed as a developer, there is no logoff screen. Instead an exception occurs.

Root Cause

This issue was determined to be a product enhancement request. Pega 7.3.1 is currently working as designed.


Perform either one of the following local-change steps:

Use a wrapper activity like the following:

1. Include Java step to call the unauthenticate() API.
2. Call EndSession activity and give this wrapper activity as logout activity in AuthenticationService rule form.


Configure the AuthService logout URL to be the EndSession activity and override EndSession activity to have a Java step to unauthenticate the requestor

Published April 6, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us