Open ID Connect - Unable to derive claim for operator establishment

General
, ,
1

I am working on an open id integration and currently failing with the following error.

“Unable to execute OIDC flow : Unable to derive claim %22email%22 from id token for operator establishment”

Verified the JWT token returned and it has all the claims that i was expecting but still it is failing with this error. Not sure how to fix this.

Please find the logs for reference.

2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Initiating OIDC flow  
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Constructing authorization URL for OIDC provider  
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth/app/default 
2024-08-08 13:00:11,697 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[0] = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[1] = default 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantHash =  
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:11,698 [p-nio2-8080-exec-100] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Constructed authorization URL for OIDC provider : https://amf-adfs.ciz.nl/adfs/oauth2/authorize/?redirect_uri=https%3A%2F%2Fdev.medewerker.ciz.nl%2Fprweb%2FPRAuth&client_id=3ceadb5c-481e-4e73-9347-96bff086f389&scope=openid email profile&state=0523b14fad4ce5a05a8e90f657eeea7174a8a3e6466a6b8b306ee38dab44ec75_app/default&nonce=f3cf5d1bbe1fd19049a158f8c68dba94bb28ba489f7603edb40af0f5236ae2b2&response_type=code 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantid hash = shared 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - authServiceName =  ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - mapKey = <<PRAuth: ADFSshared:PRAuth>> 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Creating new SchemePRAuth instance for ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service alias set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,096 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service type set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantid hash = shared 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - authServiceName =  ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - mapKey = <<PRAuth: ADFSshared:PRAuth>> 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Creating new SchemePRAuth instance for ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service alias set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,097 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Auth service type set from SchemePRAuth constructor : ADFS 
2024-08-08 13:00:12,098 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (mt.authentication.SchemePRAuth) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  Printing auth service page <?xml version="1.0"?> 
 
<pagedata> 
<pyBindDN/> 
<pxUpdateSystemID>pega-dev</pxUpdateSystemID> 
<pyClassName/> 
<pxUpdateDateTime>20240807T160941.413 GMT</pxUpdateDateTime> 
<pyUseBasicAuthTimeout>false</pyUseBasicAuthTimeout> 
<pxMoveImportOperName/> 
<pyLoginURL>https://dev.medewerker.ciz.nl/prweb/PRAuth/ADFS</pyLoginURL> 
<pyUseSSL>false</pyUseSSL> 
<pyRedirectURL/> 
<pySSLProtocol>SSL</pySSLProtocol> 
<pyUsage>Used in  Care Provider portal Login</pyUsage> 
<pxInstanceCreatedVersion>7.4</pxInstanceCreatedVersion> 
<pyModelOperator>"ModalOperatorCIZ"</pyModelOperator> 
<pyUsePegaCredentials>false</pyUsePegaCredentials> 
<pyTimeoutStream/> 
<pyPreAuthenticationActivity/> 
<pxCreateDateTime>20240807T103340.189 GMT</pxCreateDateTime> 
<pyEnableAuthService>true</pyEnableAuthService> 
<pyUseTimeoutWarningDialog/> 
<pyRuleSet/> 
<pyChallengeStream/> 
<pyBindPW/> 
<pyTrustStore/> 
<pyPreLoginScreenImage/> 
<pxInsName>ADFS</pxInsName> 
<pxSaveDateTime>20240807T160941.417 GMT</pxSaveDateTime> 
<pyFormPost/> 
<pyIsTagged>true</pyIsTagged> 
<pyPostAuthenticationActivity/> 
<pyTimeoutWarning/> 
<pzInsKey>DATA-ADMIN-AUTHSERVICE ADFS</pzInsKey> 
<pyInitialContextFactory/> 
<pyTemplate/> 
<pyOperatorDataTransform/> 
<pyFailStream/> 
<pyUseBasicAuthChallenge>false</pyUseBasicAuthChallenge> 
<pyProviderURL/> 
<pyAuthServiceAlias>ADFS</pyAuthServiceAlias> 
<pyUserNameAttribute/> 
<pyReloadForm>true</pyReloadForm> 
<pySPRuleSetName/> 
<pyAuthenticationServiceType>OIDC</pyAuthenticationServiceType> 
<pxInsId/> 
<pyInitialChallengeStream/> 
<pyTimeoutActivity/> 
<pyOpIsInNonPegaDB>false</pyOpIsInNonPegaDB> 
<pyRuleSetVersion/> 
<pyExternalTimeout/> 
<pyKeystore/> 
<pySearchFilter/> 
<pxUpdateOpName>Rakesh Vadlamuri</pxUpdateOpName> 
<pyWindowTitle/> 
<pxUpdateOperator>[email protected]</pxUpdateOperator> 
<pySSLProtocolVersion>TLSv1.2</pySSLProtocolVersion> 
<pxMoveFromSystem/> 
<pyName>ADFS</pyName> 
<pyAuthenticationActivity/> 
<pySupportsPegaTimeout>false</pySupportsPegaTimeout> 
<pyOrgDivision/> 
<pyDescription>ADFS Open ID Connect Authentication Service</pyDescription> 
<pyOrganization/> 
<pxMoveImportOperId/> 
<pyEnableOperatorProvisioning>true</pyEnableOperatorProvisioning> 
<pyOperatorProvisioningType>ModelOperator</pyOperatorProvisioningType> 
<pxMoveImportDateTime/> 
<pxObjClass>Data-Admin-AuthService</pxObjClass> 
<pyTemplateInputBox/> 
<pxCreateOperator>[email protected]</pxCreateOperator> 
<pyDirectoryContext/> 
<pyOrgUnit/> 
<pxCreateSystemID>pega-dev</pxCreateSystemID> 
<pxLimitedAccess>Dev</pxLimitedAccess> 
<pyVerifyOpInNonPegaDB/> 
<pzOriginalInstanceKey>DATA-ADMIN-AUTHSERVICE ADFS</pzOriginalInstanceKey> 
<pyLabel>ADFS /prweb/PRAuth</pyLabel> 
<pxCreateOpName>Rakesh Vadlamuri</pxCreateOpName> 
<pyStreamName/> 
<pyRuleSetName>WLZWZDDev</pyRuleSetName> 
<pxWarnings REPEATINGTYPE="PageList"/> 
<pyOpenIDConnect> 
<pyStatusMessage>OK</pyStatusMessage> 
<pySAMLAttrList/> 
<pyIsImportMetadataSuccess>true</pyIsImportMetadataSuccess> 
<pyUserInfoEndpoint>https://amf-adfs.ciz.nl/adfs/userinfo</pyUserInfoEndpoint> 
<pyOIDCProviderMetadataJSONString>{"issuer":"https:\/\/amf-adfs.ciz.nl\/adfs","authorization_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/authorize\/","token_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/token\/","jwks_uri":"https:\/\/amf-adfs.ciz.nl\/adfs\/discovery\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge","urn:ietf:params:oauth:grant-type:device_code","device_code"],"subject_types_supported":["pairwise"],"scopes_supported":["logon_cert","openid","allatclaims","winhello_cert","user_impersonation","email","profile","aza","vpn_cert"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\/\/amf-adfs.ciz.nl\/adfs\/services\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid","nbf"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/userinfo","capabilities":["kdf_ver2"],"end_session_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"device_authorization_endpoint":"https:\/\/amf-adfs.ciz.nl\/adfs\/oauth2\/devicecode"}</pyOIDCProviderMetadataJSONString> 
<pyLogoutEndpoint/> 
<pyIssuer>https://amf-adfs.ciz.nl/adfs</pyIssuer> 
<pxObjClass>Data-Admin-Security-SSO-OIDC</pxObjClass> 
<pyTemplateInputBox/> 
<pyMetadataSourceType>URL</pyMetadataSourceType> 
<pyMetadataSourceLocation>https://amf-adfs.ciz.nl/adfs/.well-known/openid-configuration</pyMetadataSourceLocation> 
<pyValue/> 
<pyMapOperatorFromClaim>{email}</pyMapOperatorFromClaim> 
<pyHTTPResponseCode>200</pyHTTPResponseCode> 
<pyStatusValue>Good</pyStatusValue> 
<pySignatureTruststore>KS_ADFS_1598_OIDCCertStore</pySignatureTruststore> 
<pyUserInfoParams REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyUserInfoParams> 
<pyExpressionGadget> 
<pxObjClass>PegaGadget-ExpressionBuilder</pxObjClass> 
<pyTemplateInputBox/> 
<pyShowCustomPages>true</pyShowCustomPages> 
<pyShowLocalVariables>false</pyShowLocalVariables> 
<pyShowParameters>true</pyShowParameters> 
<pyEditable>false</pyEditable> 
<pyIsLaunchAsOverlay>false</pyIsLaunchAsOverlay> 
<pyExpressionMapNew REPEATINGTYPE="PropertyGroup"> 
</pyExpressionMapNew> 
</pyExpressionGadget> 
<pyScopeList REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>openid</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>email</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>profile</pyValue> 
</rowdata> 
</pyScopeList> 
<pyProviderInfo> 
<pxObjClass>Data-Admin-Security-OAuth2-Provider</pxObjClass> 
<pyUsePropertyRef/> 
<pySendClientCredentialsAs>PostBody</pySendClientCredentialsAs> 
<pyClientJwtGenerationProfile/> 
<pyClientAuthenticationScheme>pyClientSecret</pyClientAuthenticationScheme> 
<pyPrivateKeyJwtPropType>useJwtGenProf</pyPrivateKeyJwtPropType> 
<pySendAccessTokenAs>AuthorizationHeader</pySendAccessTokenAs> 
</pyProviderInfo> 
<pyLogoutEndpointParams REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyLogoutEndpointParams> 
<pyClientInfo> 
<pxObjClass>Data-Admin-Security-OAuth2-Client</pxObjClass> 
<pyAuthCodeURL>https://amf-adfs.ciz.nl/adfs/oauth2/authorize/</pyAuthCodeURL> 
<pyClientID>3ceadb5c-481e-4e73-9347-96bff086f389</pyClientID> 
<pyClientSecret>	{in}1cmAGcdMEdCs5bC8APnNSb5sjljTw1twykFO3j1zwhbcMmYRpSwIX5PASKIiK/eZ</pyClientSecret> 
<pyTokenRevocationURL/> 
<pyAccessTokenURL>https://amf-adfs.ciz.nl/adfs/oauth2/token/</pyAccessTokenURL> 
<pyGrantType>Authorization code</pyGrantType> 
<pyRedirectURL>https://dev.medewerker.ciz.nl/prweb/PRAuth</pyRedirectURL> 
<pyAccessTokenParameters REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyAccessTokenParameters> 
<pyAuthorizationCodeParameters REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-InterfaceParameter</pxObjClass> 
</rowdata> 
</pyAuthorizationCodeParameters> 
</pyClientInfo> 
<pyViewScopeList REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>logon_cert</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>openid</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>allatclaims</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="4"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>winhello_cert</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="5"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>user_impersonation</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="6"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>email</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="7"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>profile</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="8"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>aza</pyValue> 
</rowdata> 
<rowdata REPEATINGINDEX="9"> 
<pxObjClass>SingleValue-Text</pxObjClass> 
<pyValue>vpn_cert</pyValue> 
</rowdata> 
</pyViewScopeList> 
<pxWarningsToDisplay REPEATINGTYPE="PageList"/> 
</pyOpenIDConnect> 
<pySecurityPolicies REPEATINGTYPE="PageList"/> 
<pyPropertyMappings REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-ExtAttributeMapping</pxObjClass> 
<pyExternalAttributeName/> 
<pyPropertyName/> 
</rowdata> 
</pyPropertyMappings> 
<pyExpressionGadget> 
<pxObjClass>PegaGadget-ExpressionBuilder</pxObjClass> 
<pyTemplateInputBox/> 
<pyShowCustomPages>true</pyShowCustomPages> 
<pyShowLocalVariables>false</pyShowLocalVariables> 
<pyShowParameters>true</pyShowParameters> 
<pyEditable>false</pyEditable> 
<pyIsLaunchAsOverlay>false</pyIsLaunchAsOverlay> 
<pyExpressionMapNew REPEATINGTYPE="PropertyGroup"> 
</pyExpressionMapNew> 
</pyExpressionGadget> 
<pyPagesAndClasses REPEATINGTYPE="PageList"> 
<rowdata REPEATINGINDEX="1"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Code-Pega-Requestor</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>pxRequestor</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="2"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-ID</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>OperatorID</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="3"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Attributes</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyOperatorAttributes</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="4"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Device</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyOperatorDeviceInformation</pyPagesAndClassesPage> 
</rowdata> 
<rowdata REPEATINGINDEX="5"> 
<pxObjClass>Embed-PagesAndClasses</pxObjClass> 
<pyPagesAndClassesClass>Data-Admin-Operator-Attributes</pyPagesAndClassesClass> 
<pyPagesAndClassesPage>D_pyUserInfoClaims</pyPagesAndClassesPage> 
</rowdata> 
</pyPagesAndClasses> 
<pySAMLWebSSO> 
<pxObjClass>Data-Admin-Security-SSO-SAML</pxObjClass> 
<pyUseIndexToggle>Location</pyUseIndexToggle> 
</pySAMLWebSSO> 
</pagedata> 
 
2024-08-08 13:00:12,098 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Processing authorization code recieved from OIDC provider  
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  -  reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth/app/default 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[0] = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextUriTokens[1] = default 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - tenantHash =  
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - reqContextURI = https://dev.medewerker.ciz.nl/prweb/PRAuth 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - StateParam Validation is successful 
2024-08-08 13:00:12,100 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Fetching access token using authCode received  
2024-08-08 13:00:12,194 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Successfully fetched accesss token and ID token using authCode  
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Validating ID token received from access token end point eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRyV3d5dDJxTm5GRGNWXzNlbWd3SWNFalNWSSIsImtpZCI6IkRyV3d5dDJxTm5GRGNWXzNlbWd3SWNFalNWSSJ9.eyJhdWQiOiIzY2VhZGI1Yy00ODFlLTRlNzMtOTM0Ny05NmJmZjA4NmYzODkiLCJpc3MiOiJodHRwczovL2FtZi1hZGZzLmNpei5ubC9hZGZzIiwiaWF0IjoxNzIzMTIyMDExLCJuYmYiOjE3MjMxMjIwMTEsImV4cCI6MTcyMzEyNTYxMSwiYXV0aF90aW1lIjoxNzIzMTIxOTk0LCJub25jZSI6ImYzY2Y1ZDFiYmUxZmQxOTA0OWExNThmOGM2OGRiYTk0YmIyOGJhNDg5Zjc2MDNlZGI0MGFmMGY1MjM2YWUyYjIiLCJzdWIiOiIrVEZLMnJTcmVIQ2RmSzdTZERFTlQ2SmhzVnpDQlg1cFRsSVhRaVV4ZXk4PSIsInVuaXF1ZV9uYW1lIjoiQ0laUy1BTUZcXGpyb2Vsb2ZzNSIsInB3ZF9leHAiOiI3MDg0MTY5Iiwic2lkIjoiUy0xLTUtMjEtMjQwMjQ1MzQzMy0xMTE0NzkzNDcxLTE1MjA1MzE3MzgtMTIwMDY0IiwidXBuIjoianJvZWxvZnM1QGFhbm1lbGRmdW5jdGlvbmFsaXRlaXQuc25lZWsuY2l6Lm5sIiwiZW1haWwiOiJqdXVsLnJvZWxvZnNAY2l6Lm5sIiwicm9sZSI6WyJEb21laW5nZWJydWlrZXJzIiwiMTAwMTI5M185OTk5OTkxWm9yZ2Fhbm1lbGRlclZvbGxlZGlnQXBveW9UZXN0IiwiVm9sbGVkaWctQXBveW8tVGVzdCIsIkFQT1lPX1RFU1RfVm9sbGVkaWciXSwiYXBwdHlwZSI6IkNvbmZpZGVudGlhbCIsImFwcGlkIjoiM2NlYWRiNWMtNDgxZS00ZTczLTkzNDctOTZiZmYwODZmMzg5IiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIiwic2NwIjoicHJvZmlsZSBlbWFpbCBvcGVuaWQifQ.knHcS0WApXxtSCRDps6Pgw5efFbJfAL4m2pNX8NT0BxAt-JEtveZrq3XIbtfySaL7Wx1h1v6lcJHhXF2kXomsXaJZP2VCIRGvrnnYhnBVRJObmPVocsS39-E_BtdMCxt4FUVM_gYV9GTktu_ye71TbAftIpbS0HIs0gnXlCrNTdpHoVn3pRyVHiABUj9Rsm6fE1DtRt_OgX0FP8KfZqzQwpagDsu7D7fbfAkWGM-crf1x3NGkW-E4_L3LUdtvGbnvxsW3qJJ__M-8plktukGhS-86zWXTEN4Z17cLhTyrMCKo62_m1PDnU_-Y2Fv3FxpnmBxdBuew0DWh-CEjyLYnw 
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (h.oidc.NimbusOIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - JWT is Signed 
2024-08-08 13:00:12,195 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (h.oidc.NimbusOIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Truststore picked is KS_ADFS_1598_OIDCCertStore 
2024-08-08 13:00:12,243 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Succesfully validated ID token with standard claims  
2024-08-08 13:00:12,244 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Retrieving userInfo claims from user info Endpoint  
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) DEBUG dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Fetch operator from claim {email} from received ID token claims 
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (   auth.oidc.OIDCClientHandler) ERROR dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - Exception is thrown for OIDC flow com.pega.pegarules.pub.PRRuntimeException: Unable to derive claim "email" from id token for operator establishment 
2024-08-08 13:00:12,315 [p-nio2-8080-exec-103] [  STANDARD] [                    ] [6T130751255:01.01.01] (ernal.mgmt.SecurityEventLogger) INFO  dev.medewerker.ciz.nl|10.243.0.26:51364 H4XAQK0UD0DOC9RIBQTUSNOBEUCWIVB5EA  - {"appName":"CIZAuth_20230106T130751255","eventCategory":"Authentication event","eventType":"Login","id":"a44fad58-6056-4f24-8889-435ba7ff1022","ipAddress":"10.243.0.26:51364","message":"Open ID ConnectConnect Flow failed, AuthService : ADFS, ErrorMessage : Unable to derive claim \"email\" from id token for operator establishment","nodeID":"pega-dev-web-5567cd48-xfdzf","outcome":"Failure","tenantID":"shared","timeStamp":"Thu 2024 Aug 08, 13:00:12:315"} 
2

@rvadlamuri please log a support incident via the msp and let us know the INC id here so we can help track it.

3

@MarijeSchillern We are facing the same blocking issue. Do you have any tip to solve this?

4

I searched and found that the original poster logged INC-B33050 with our support team. That ticket was closed with the following investigation summary:

Description:

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Is there is another way to solve

Solution type description:

Configuration of Userinfo endpoint was causing the issue that not all the claims part of token were available.

From the historcial cases when the Userinfo endpoint is configured it seems that not all the claims part of token are available and can be used according to the requirements.

Once this config is removed then all the claims are available.

A follow-on ticket INC-B34571 was logged to resolve the below;

Description

I am getting a value list in claims and i used to find the corresponding access group to the value list roles and update the operator record. I need a post authentication activity where i should access this claims. I believe i need D_pyUserInfoClaims data page to get these claims for my logic. Please correct me if i am wrong and there is another way to solve this problem

Solution description:

Suggested client to use D_pzSSOAttributes, as an alternative to D_pyUserInfoClaims since D_pzSSOAttributes data page should contain the claims information that could be used in the post authentication activity.

@BernardM7769 As this is an old post and not related to the original poster’s question, please log a support incident via the msp and let us know the INC id here so we can help track it.