GRS (=D_Env.URL) don’t seem to work in Pega 8.5.1 when applied at SAML Auth Services. Data page and data transform are part of the unauthenticated ruleset. Data page can be executed and delivers correct values - tested through a pre-auth activity and logging.
It looks like the SAML response validation does not resolve/expand the GRS references. Error message:
“Unable to process the SAML WebSSO request : Caught Exception while validating SAML2 Authentication response for SSO profile : Recipient https://example.com/prweb/PRRestService/WebSSO/SAML/v2/AssertionConsumerService does not match assertion consumer URL”
GRS works for the “Entity Identification” field using an existing value like “=pxRequestor.pxReqServer”, but not with a data page reference.
Can somebody confirm the observation? If so, when will it be fixed?
@desad1 Yes, as stated above, the rules are in an unauthenticated ruleset. And through a pre-auth activity I am able to log data page content during SAML login attempts.
To me it looks like the “=D_Env.URL” Syntax is not being evaluated during all steps of SAML; namely the SAML response verification seems to see a different value. Unfortunately the error log message tells us what it expected to see but not what it actually found
Ok, found the problem. We are using a custom unauthenticated access group where the unauthenticated ruleset is anchored. SAML uses a couple of web services and a service package WEBSSO for authorization and scaling underneath. There, PRPC:Unauthenticated is set. Changing it to our custom access group solved the problem.
