Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SAML response NameID not read from the external SAML response

SA-73862

Summary



On configuring SAML Authorization - MTSSAMLLogin, the single sign-on (SSO) configuration works correctly. The SSO redirects to the Identiry Provider (IdP) and the IdP sends a response back to the applicatoin with the correct response with the NameID. However, the application fails to read the SAML response NameID from the external SAML response.


Error Messages



com.pega.pegarules.pub.PRRuntimeException: Unable to derive attribute (NameID) from SAML assertion for operator establishment at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLHandler.resolveSourceValue(SAMLHandler.java:93) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:125) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.handleSAMLResponse(SAMLResponseHandler.java:65) ~[printegrint.jar:?] at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLResponseHandler.authenticate(SAMLResponseHandler.java:53) ~[printegrint.jar:?] at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRAuth.authenticateOperator(SchemePRAuth.java:723) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.mgmt.authentication.Authentication.doAuthentication(Authentication.java:489) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.performAuthentication(HTTPAuthenticationHandler.java:251) ~[prprivate.jar:?] at com.pega.pegarules.session.internal.engineinterface.service.HTTPAuthenticationHandler.doHttpReqAuthentication(HTTPAuthenticationHandler.java:94) ~[prprivate.jar:?] at

com.pega.pegarules.pub.PRRuntimeException: Cannot retrieve operator from NameID element as NameID format is urn:oasis:names:tc: SAML:2.0:nameid-format:persistent


Steps to Reproduce



Click the SSO URL. This redirects to the Pega login failure page.


Root Cause



NameID type was specified as Persistent at the IdP end which is not supported in Pega. Hence the authentication did not occur.


Resolution



Perform the following local-change:

Change the NameID type to a different format at the IdP to use the 'Name identifier in the Subject' option while mapping the operator.


 

Tags:

Pega Platform 8.1.1 Pega Platform Platform

Published February 22, 2019 - Updated December 2, 2021

Was this useful?

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us