Support Article
SAML Authentication error while executing the Assertion Activity
SA-3514
Summary
Out Of the Box SAML Web 2.0 Authentication was working fine in Pega 7.1.6, but started failing after upgrading to Pega 7.1.7
When IdP (Identity Provider) login is initiated using https://<IdP URL>/saml2sso?SPID= <SP_ID>&RelayState=/prweb/sso, error message is received:
This works on PRPC 7.1.6 prior to the upgrade.
Error Messages
On the browser
Unable to process the SAML WebSSO request:
In PegaRules Log:
2014-11-17 06:22:16,995 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 1_circum0
2014-11-17 06:22:16,996 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 8_circum0
2014-11-17 06:22:16,996 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Received request for Assertion Consumer Service with body content : RelayState=%2Fprweb%2Fsso&SAMLResponse=<ASSERTION IS EXTRACTED HERE... Intentionally removed by engineer for security>
2014-11-17 06:22:16,996 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 9_circum0
2014-11-17 06:22:16,997 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 12_circum0
2014-11-17 06:22:16,998 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 13_circum0
2014-11-17 06:22:16,998 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) ERROR Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Error while executing the Assertion Consumer Service activity :
2014-11-17 06:22:16,998 [Test] [ STANDARD] [ ] [ PegaRULES:07.10] (Admin_Security_SSO_SAML.Action) DEBUG Test-1|<IP_ADDRESS>|Rest|WebSSO|SAML|AssertionConsumerService|A95155D03C14DD19C4D6A7BA23A4617DC - Running step 14_circum0
Steps to Reproduce
Initiate IdP login using https://<IdP URL>/saml2sso?SPID= <SP_ID>&RelayState=/prweb/sso
Root Cause
In Pega 7.1.6, SSO flow was IDP initiated. In 7.1.6, Pega SAML implementation only supports POST binding. SPID (Service Provider ID, mentioned in the assertion) and RelayState parameters were hence used in the URL initiated by IDP viz:
https://<IdP URL>/saml2sso?SPID= <SP_ID>&RelayState=/prweb/sso
In Pega 7.1.7, two new bindings were introduced i.e. HTTP Redirect and HTTP Artifact along with HTTP POST. Don’t use SSO URL format used in pre 7.1.7. Also in 7.1.7 SSO flow is Service Provider (SP) initiated, i.e. by Pega.
Resolution
Using following SSO URL format resolved the issue:
https://<PEGA URL>/prweb/sso
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.