Support Article

SSO SAML2.0 not working

SA-37089

Summary



SAML SSO 2.0 is not working with Pega 7.2.2.


Error Messages



Unable to process the SAML WebSSO request : 1 on User interface

In the logs:


Running step 14_circum0
2017-04-12 10:20:09,000 [ httpexec-69] [ STANDARD] [ ] [ SAG:01.01.01] (Admin_Security_SSO_SAML.Action) DEBUG |Rest|WebSSO|SAML|AssertionConsumerService|A75A2B6D6C87C9664F56C20F5C9C5DA4F - Running step 15_circum0
2017-04-12 10:20:09,000 [ httpexec-69] [ STANDARD] [ ] [ SAG:01.01.01] (Admin_Security_SSO_SAML.Action) ERROR |Rest|WebSSO|SAML|AssertionConsumerService|A75A2B6D6C87C9664F56C20F5C9C5DA4F - Error while executing the Assertion Consumer Service activity : 1



Second error after fixing the first one:

Caught Exception while processing SAML2 Authentication response
com.pega.pegarules.pub.PRRuntimeException: No attribute statements found in the SAML Response,Unable to deduce an operator record for further processing
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processAuthenticationResponse(PRSAMLv2Utils.java:552)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.step19_circum0(ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.java:1732)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.perform(ra_action_pysamlwebssoauthenticationactivity_c47b18e15be5f092cee6529c38ebf1e0.java:425)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3553)


Steps to Reproduce



1. Configure SAMLAUTH.
2. Try to login with <your server address>/prweb/sso.
3. Provide proper credentials.


Root Cause



The user was using http instead of https in the ACS url which they were invoking as POST.

Once that was corrected, the first error was resolved but on submitting credentials from the SSO URL the Assertion service was getting called multiple times in an infinite loop.

The pySAMLWebSSOAuthenticationActivity was modified and pxReqContextURI of pxRequestor page was hardcoded to the https URL used.

After this, looping issue was reolved but the second error was encountered as mentioned above.

After checking the logs, it was identified that there is no attribute mapping done due to which the error was coming.

Resolution




After getting the attribute from the IDP server and mapping it in the SAML authentication service, the issue gets resolved and the SSO works fine.

Published April 26, 2017 - Updated May 15, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.