We are implementing SSO Authentication using OpenAM as SAML SP. In the SAML response they are sending emailaddress attribute.
If the operator id exist with email address we are able to login otherwise we are getting unable to process the SAML WebSSO request : Unable to derive operator from SAML assertion. ex: if operator id is created as [email protected] it is authenticating.
Unchecked Enable operator provisioning using model operator as we are not creating operators on the fly.
@AbhilashK2788 To map the email address attribute from the SAML response to the Pega Platform operator ID, follow these steps:
Open the authentication service in Dev Studio by clicking Records > SysAdmin > Authentication Service and choosing a service from the instance list. On the SAML 2.0 tab, navigate to the Operator identification section.
Make sure the attribute name in the SAML response matches the one specified in the authentication service configuration. If the operator ID does not exist and you have disabled operator provisioning, Pega Platform will not create operators on the fly, and you may encounter the error you mentioned. Ensure that the operator IDs in Pega Platform match the email addresses sent in the SAML response.
This answer came from a Pega gen-AI assistant using the below references.
As a Support Center moderator, I reviewed the answer and references for accuracy
In the SingleSignon Authentication Service, please verify all the mapping configurations are given correctly. Also make sure the ModelOperator is passed within double Quotes in the Operator Identification Section of SAML 2.0. Given the attachment below.