SA-26755

Summary

Using SAML 2.0 with Identity provider is Okta.

The SP initiated and IDP initiated Login is working fine without any issue.

The Pega Rules timeout is configured with time out setting of 30 minutes with Force authentication option.

After session time out, using a pxSessionTimer, the  user is directed to the to IDP login screen in a popup window as expected. However, when user tries to re authenticate and submit the request, Pega is redirecting the user again to Okta login screen and not resuming the original session. Thus after a timeout, user is not able to resume his session as the same OKta login screen is shown again and again.
Okta is submitting proper details with correct relay state as mentioned in attachment.
 

Error Messages

Not applicable

Steps to Reproduce

1. Use SAML 2.0 with pxSessionTimer that allows reauthentication.
2. Login to PRPC System.
3. Wait for Timeout.
    

Root Cause

The client had modified the pySAMLWebSSOAuthenticationActivity were the user Id from the SAMLResponse was the users email and a custom service call was required to get the actual user Id.
This was put into an Unauthenticated Ruleset and part of the Unauthenticated AccessGroup. This was being called and working  properly during initial authentication.

On timeout the client modified pySAMLWebSSOAuthenticationActivity was not being called. The end users runtime ruleset stack did NOT include the Unauthenticated Ruleset.  Authentication on timeout was not occurring because the user email was not a valid Data-Admin-Operator-ID record in the system. At this point it properly redirected back to the IDP as authentication on timeout was not successful.
 

Resolution

When using a pxSessionTimer that allows for re-authentication onTimeout you need to make sure that the RuleSets the timeout activities are defined in are in the users runtime ruleset list. 

In this example the client added the Unauthetnticated Ruleset to the application definition.