Displaying Login Screen for SAML SSO Login

General
,
1

Hi ,

I am working on a SAML SSO configuration . Below is the configuration at our side

Service Provider is Pega → Reverse Proxy → IDP(AAD )

I am facing an issue : when IDP trigger a request to access the application it is pointed to Pega Login page not to the User Portal .

Relay State URL which we receive from IDP as Saml Response is the DNS set by ReverseProxy and which in turn is redirected to the actual Authentication service url (https://(host)/prweb/xx. But the UI displayed to Thirdparty is Pega Login Screen not the Portal .

What Pega send back as message is

"Since your browser does not support JavaScript,
you must press the Continue button once to proceed. "

This is set from the Pega OOTB HTML code invoked from assertion service activity .

Even after trying from Chrome too it is same.

We tried login manually but still it is redirected to Login Page .

Pega version what we are using is 7.3

Do we need to change anything in Web proxy side ? web.xml other than x forwarded host setting ?

If any one faced the similar issue request you to help .

Please reply to this .

Thanks

2

If any one came across the same. Please help.

3

@MAMATHAP did you already try the suggestions from other posts?

The error you describe appears to e an error response from your iDP provider

In past support incidents we have seen occasions where clients needed to add RequestedAuthnContext element by setting the values of the pyAuthenticationContext property

ie
IDP is requiring extra parametesr when using HTTP-POST method for the AuthnRequest.

For example:

Extra parameters can be added to the following HTML Rule:

Data-Admin-Security-SSO-SAML.pyPostAuthenticationRequest

Note: Since your browser does not support JavaScript, you must press the Continue button once to proceed.

" method="post"> 
<div>

             <input type="hidden" readonly name="<PARAM_NAME>" value="<PARAM_VALUE>"/>

                  <input type="hidden" readonly name="RelayState" value="<%=StringUtils.urlCrossScriptingFilter(tools.getParamValue("RelayState"))%>"/>                

                           <input type="hidden" readonly name="SAMLRequest" value="<%=StringUtils.urlCrossScriptingFilter(tools.getParamValue("Base64EncodedSAMLAuthnRequest"))%>"/>

            </div>

            <noscript>

            <div>

            <input type="submit" value="Continue"/>

               </div>

            </noscript> 

      </form>           

    </body>

</html>

Could you go through the below document?

https://community.pega.com/sites/default/files/help_v82/procomhelpmain.htm#data-/data-admin-/data-admin-authservice/saml-configuring-a-saml-sso-authentication-service-tsk.htm

I would also suggest you check the available articles here:

https://community.pega.com/search/archive?q=idp%20SSO

4

@MarijeSchillern Hi Thanks for replying to my post.

My Pega version is 7.3

The error which I am getting is the one we are sending as response .This is set from the SAML Assertion OOTB Activity . This I could find from the logs .But to IDP Pega login screen is displayed not portal .

I have gone through those documents before.

ie IDP is requiring extra parametesr when using HTTP-POST method for the AuthnRequest.

This parameter should be set from IDP? . IDP is AAD in our case can they set it from their side ?

What does that parameter do from pega ? Please elaborate .

Thanks

Mamatha

5

@MAMATHAP this type of issue will need a more in-depth investigation.

Please can you log a support INC so that our support team can help you troubleshoot the problem? When you log the ticket please be sure to provide:

  • the full configuration screenshots of the users, configuration files and activity parameters involved.

  • details when the authentication service last worked correctly and any changes

  • the full pega and network logs when tracing the issue.

Please provide me with the incident number once you have logged it so that we can help track it.

6

@MarijeSchillern Hi ,

When I checked the logs -I found the Authentication activity is causing PEGA0001 alert .

HTTP interaction has exceeded the elapsed time alert threshold of 1000 ms: 2165 ms .

Any idea how to fix this ?

7

@MAMATHAP This type of troubleshooting for a specific application configuration problem goes beyond discussions on this forum.

Please can you log a support ticket for this and give us the INC id?

8

@MAMATHAP our support team will take it from here, thanks.

9

@MAMATHAP ticket INC-210135 had to be closed as the support engineer had no more response from you.

If you do need further help, please log a new support incident, and make sure that you add the SAML tracer to chrome which was available in the chrome web store.

After adding it start the saml tracer and try to reproduce the issue and share us the saml tracer file.

10

@MarijeSchillern Hi I have created an SR ticket from friends id as I don’t have access .

Please find the ticket ID INC-210135 .

Thanks

Mamatha