When trying to access pega with OIDC, getting an error - AADSTS900971: No reply address provided.

General
, ,
1

I have configured an OpenID Connect (OIDC) authentication service and successfully imported the metadata. The service provider utilized is Microsoft Entra ID. The redirect URI has been correctly updated in the Entra ID configuration. However, upon attempting to log in, I encounter the following error: AADSTS900971: No reply address provided.

We are at pega infinity 8.8.3

Error in logs :

2025-03-10 23:40:42,313 [sse-nio-8081-exec-73] ( web.impl.WebStandardImpl) ERROR - 10.37.50.131: Encountered error while processing request: com.pega.pegarules.priv.web.HTTPOperationException: 403
com.pega.pegarules.priv.web.HTTPOperationException: 403
at com.pega.pegarules.web.impl.HttpUtilities.validateForHostHeader(HttpUtilities.java:306) ~[prwebj2ee.jar:?]
at com.pega.pegarules.web.impl.HttpUtilities.extractRequest(HttpUtilities.java:163) ~[prwebj2ee.jar:?]
at com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:725) ~[prwebj2ee.jar:?]
at com.pega.pegarules.web.impl.WebStandardImpl.doPostInner(WebStandardImpl.java:435) ~[prwebj2ee.jar:?]
at sun.reflect.GeneratedMethodAccessor522.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_442]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_442]
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:388) ~[prbootstrap-8.7.4-648.jar:8.7.4-648]
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:430) ~[prbootstrap-8.7.4-648.jar:8.7.4-648]
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:225) ~[prbootstrap-api-8.7.4-648.jar:8.7.4-648]
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:274) ~[prbootstrap-api-8.7.4-648.jar:8.7.4-648]
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doPost(WebStandardBoot.java:164) ~[prbootstrap-api-8.7.4-648.jar:8.7.4-648]
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doGet(WebStandardBoot.java:121) ~[prbootstrap-api-8.7.4-648.jar:8.7.4-648]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:529) ~[servlet-api.jar:4.0.FR]
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.service(WebStandardBoot.java:191) ~[prbootstrap-api-8.7.4-648.jar:8.7.4-648]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) ~[servlet-api.jar:4.0.FR]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.98]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-websocket.jar:9.0.98]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:9.0.98]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[catalina.jar:9.0.98]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:9.0.98]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) ~[catalina.jar:9.0.98]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.98]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[catalina.jar:9.0.98]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396) ~[tomcat-coyote.jar:9.0.98]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:9.0.98]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:937) ~[tomcat-coyote.jar:9.0.98]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) ~[tomcat-coyote.jar:9.0.98]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:9.0.98]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-util.jar:9.0.98]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.98]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:9.0.98]
at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_442]

2

@Anandi :warning: This is a GenAI-powered tool answer. All generated answers require validation against the provided references.

The error “AADSTS900971: No reply address provided” typically indicates a configuration mismatch between your Pega Infinity application and Microsoft Entra ID application registration related to the redirect URI.

Based on the error details and logs you’ve shared, here are the most likely causes and solutions:

Root Cause

The “AADSTS900971: No reply address provided” error occurs when Microsoft Entra ID cannot find an appropriate registered redirect URI (reply address) to send the authentication response to. Even though you mentioned that you’ve updated the redirect URI in Entra ID configuration, there might be a mismatch or issue with how it’s registered.

Recommended Solutions

  1. Verify Exact Redirect URI Format:
    • In your Pega OIDC configuration, identify the exact callback/redirect URI being used
    • The standard format should be something like: [https://[your-pega-domain]/prweb/PRRestService/oauth2/callback](https://[your-pega-domain]/prweb/PRRestService/oauth2/callback)
    • Make sure this exact URL is registered in Microsoft Entra ID application registration
  2. Check Microsoft Entra ID App Registration:
    • Log in to the Microsoft Entra ID portal
    • Go to App Registrations and select your application
    • Navigate to the Authentication tab
    • Verify that all necessary redirect URIs are added properly
    • Ensure there are no typos, especially with protocol (http vs https), trailing slashes, or port numbers
  3. Review Authentication Flow Configuration:
    • In Pega, verify that the authentication flow is set to “Authorization Code Flow”
    • Confirm that the Client ID and Client Secret in Pega match exactly with Microsoft Entra ID
    • Check that the scope includes “openid” and any other required scopes
  4. Check Pega OIDC Authentication Service Configuration:
    • In Dev Studio, navigate to Records > SysAdmin > Authentication Service
    • Open your OIDC authentication service
    • On the OpenID Connect tab, verify:
      • The correct Application/Client ID is specified
      • The redirect URI matches what’s registered in Microsoft Entra ID
      • The metadata URL is correct and accessible
  5. Examine Reply URL Configuration in Microsoft Entra ID:
    • Make sure you’ve added ALL possible reply URLs that Pega might use
    • For testing, you could temporarily add a wildcard redirect URI (not recommended for production)
    • Double-check that the authentication type matches the redirect URI configuration

Additional Troubleshooting Steps

If the above solutions don’t resolve the issue, try these additional steps:

  1. Enable Detailed Logging:
    • In Dev Studio, go to Configure > System > Operations > Logs
    • Set “PRAuth” and “OAuth2” components to DEBUG level
    • Attempt authentication again and examine the logs for more detailed information
  2. Verify Metadata Import:
    • Re-import the OpenID Connect metadata from Microsoft Entra ID
    • Ensure that the metadata correctly includes all necessary endpoints
  3. Check for Proxy or Network Issues:
    • If your Pega environment is behind a proxy, ensure proper configuration
    • Verify that all necessary endpoints are accessible from your Pega environment

Next Steps

If you continue to experience issues after trying these solutions, please log a ticket via the MSP and in your ticket provide:

  1. Screenshots of your OIDC configuration in Pega (with sensitive information redacted)
  2. Screenshots of your Microsoft Entra ID app registration’s authentication settings
  3. More detailed logs with the OAuth2 and PRAuth components set to DEBUG level

References:
[1] Microsoft Entra Authentication Error Codes
[2] Redirect URI Best Practices in Microsoft Entra ID
[3] Troubleshooting OpenID Connect Integrations in Pega
[4] OpenID Connect on the Microsoft Identity Platform

3

@MarijeSchillernWhat is the configuration I need to do by step 1? I am not clear there. All other steps I have performed similarly.

4

@Anandi Here is our GenAI reply - please check the References carefully :

In step 1, I mentioned “Verify Exact Redirect URI Format,” which is crucial for resolving the “AADSTS900971: No reply address provided” error. Here’s exactly what you need to do:

Finding Your Pega Redirect URI

  1. Log in to Dev Studio in your Pega instance.
  2. Navigate to the Authentication Service:
    • Go to the navigation menu
    • Select “Users” > “Single sign-on (SSO)”
    • Find your OIDC authentication service in the list and click to open it
  3. Locate the Redirect URI:
    • Once in the authentication service details, look for the “Redirect URI” field
    • The standard format should be: [https://[your-pega-domain]/prweb/PRRestService/oauth2/callback](https://[your-pega-domain]/prweb/PRRestService/oauth2/callback)
    • Copy this exact URI - it must be used precisely as shown

Configuring This URI in Microsoft Entra ID

  1. Log in to the Microsoft Entra ID portal (formerly Azure AD)
  2. Navigate to App Registrations:
    • Find and select your application registration for Pega
  3. Update the Redirect URI:
    • Go to the “Authentication” tab
    • Under “Redirect URIs,” click “Add URI” if it’s not already added, or verify the existing one
    • Paste the exact Redirect URI you copied from Pega (including the correct protocol, domain, path, and no trailing slashes)
    • Save your changes

The error “AADSTS900971: No reply address provided” specifically indicates that Microsoft Entra ID cannot find a matching redirect URI for the authentication request. This could be because:

  • The URI is not registered in Entra ID
  • There’s a mismatch between what’s configured in Pega and what’s in Entra ID (even small differences like trailing slashes or http vs https can cause this)
  • The URI format is incorrect

Ensuring an exact match between the Pega redirect URI and what’s registered in Microsoft Entra ID should resolve this error.

References:
[1] OpenID Connect Core 1.0 Specification
[2] Microsoft Entra ID Authentication Error Codes
[3] Redirect URI Best Practices in Microsoft Entra ID