Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Unable to process the SAML WebSSO request

SA-60278

Summary



Error occurs when logging in to the Pega  application using SAML single sign-on (SSO).


Error Messages



[ttp-nio-8443-exec-13] [STANDARD] [ ] [ PegaGP:07.31] ( internal.util.PRSAMLv2Utils) ERROR <IP>|<IP> - Caught Exception while processing SAML2 Authentication response 
com.pega.pegarules.pub.PRRuntimeException: Caught Exception while validating SAML2 Authentication response for SSO profile : Assertion does not contain unique subject provider identifier https://<Server IP>:<Port>/prweb/sp/<Unique Id> in the audience restriction conditions 
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseSSOProfileValidator.validate(SAMLv2ResponseSSOProfileValidator.java:113) ~[printegrint.jar:?] 
 at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.validateResponse(PRSAMLv2Utils.java:719) ~[printegrint.jar:?]


Steps to Reproduce

  1. Log in to the application through SSO using OKTA.
  2. Enter the username and password. Error displays on the screen.


Root Cause



A third-party product issue. 

The identity provider (IdP) did not display  the correct Entity Identification in the SAML response.


Resolution



Here's the explanation for the reported behavior:

The Service Provider 'Entity Identification' in the SAML authentication profile was configured in the below format:

https://<Server name or IP>:<PORT>/prweb/sp/<unique id>

However, the SAML response from the IdP displayed a different Audience element in the below format:

https://<Server name or IP>:<PORT>/prweb

As a local-change, update the IdP configuration and return the same Entity Identification as configured in the SAML authentication profile.

The SAML response XML must have the Audience element as below:

<saml2:AudienceRestriction>
    <saml2:Audience>https://<Server name or IP>:<PORT>/prweb/sp/<unique id>:Audience>
</saml2:AudienceRestriction>

 

Tags:

Pega Platform 7.3.1 Pega Platform Platform Case Management

Published December 30, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve?
Suggest an edit
Report a Pega Community bug

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice