Support Article
SSO SAML2.0 not working
SA-37089
Summary
SAML SSO 2.0 is not working with Pega 7.2.2.
Error Messages
Unable to process the SAML WebSSO request : 1 on User interface
In the logs:
Running step 14_circum0
2017-04-12 10:20:09,000 [ httpexec-69] [ STANDARD] [ ] [ SAG:01.01.01] (Admin_Security_SSO_SAML.Action) DEBUG |Rest|WebSSO|SAML|AssertionConsumerService|A75A2B6D6C87C9664F56C20F5C9C5DA4F - Running step 15_circum0
2017-04-12 10:20:09,000 [ httpexec-69] [ STANDARD] [ ] [ SAG:01.01.01] (Admin_Security_SSO_SAML.Action) ERROR |Rest|WebSSO|SAML|AssertionConsumerService|A75A2B6D6C87C9664F56C20F5C9C5DA4F - Error while executing the Assertion Consumer Service activity : 1
Second error after fixing the first one:
Caught Exception while processing SAML2 Authentication response
com.pega.pegarules.pub.PRRuntimeException: No attribute statements found in the SAML Response,Unable to deduce an operator record for further processing
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processAuthenticationResponse(PRSAMLv2Utils.java:552)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.step19_circum0(ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.java:1732)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.perform(ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.java:425)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)
Steps to Reproduce
1. Configure SAMLAUTH.
2. Try to login with <your server address>/prweb/sso.
3. Provide proper credentials.
Root Cause
The user was using http instead of https in the ACS url which they were invoking as POST.
Once that was corrected, the first error was resolved but on submitting credentials from the SSO URL the Assertion service was getting called multiple times in an infinite loop.
The pySAMLWebSSOAuthenticationActivity was modified and pxReqContextURI of pxRequestor page was hardcoded to the https URL used.
After this, looping issue was reolved but the second error was encountered as mentioned above.
After checking the logs, it was identified that there is no attribute mapping done due to which the error was coming.
Resolution
After getting the attribute from the IDP server and mapping it in the SAML authentication service, the issue gets resolved and the SSO works fine.
Published May 15, 2017 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.