Question

Invalid Division for Operator on accessing the SSO url

Hi Team, Iam trying to implement SSO using SAML in Pega 8.2.1. I have configured the url in our identity. For the Operator identification, i tried both Name identifier in the subject and Attribute. But iam always getting the below error in the logs

2019-09-12 15:16:56,089 [      default task-3] [  STANDARD] [                    ] [         PE:01.01.01] (   internal.util.PRSAMLv2Utils) DEBUG dumlgapst01|10.13.146.169|RelayStateID: d5fb7bb1-6aca-4034-b3b3-e728c3b7cb50 :RelayStateID  - Converting SAML string received to SAML object 
2019-09-12 15:16:56,111 [      default task-3] [  STANDARD] [                    ] [         PE:01.01.01] (.authentication.Authentication) ERROR dumlgapst01|10.13.146.169  - Invalid Division for Operator:  
(.authentication.Authentication) ERROR dumlgapst01|10.13.146.169  - Invalid Division for Operator:  IT

***Moderator Edit-Vidyaranjan: Updated Platform Capability***

Correct Answer
September 17, 2019 - 9:15am

This issue has been resolved by using the NameID and model operator as reference "By Organization hierarchy" You dont need to provide any pre and post activities in latest versions. But inorder to build the access groups from the roles retruned from idp, we need an post activity.

This loop can be closed.

Comments

Keep up to date on this post and subscribe to comments

September 12, 2019 - 4:43pm

This exception occurs after a lookup and the Division returned is null.

Does the "IT" division exist in Pega?

Is there any chance the operator has an existing record that can be deleted to change the behavior - as a debugging step at least?

 

September 13, 2019 - 11:41am
Response to PaulGentile_GCS

Hi Paul, Its not even reading the attribute parameter for the operator from SAML. I have choosen name and attribute, but it was unable to read the operator from saml. That why in the log, its giving the below message when i dont select "Enable operator provisioning using model operator".

Unable to process the SAML WebSSO request : Unable to derive operator from SAML assertion

If i select, "Enable operator provisioning using model operator", then its throwing the message

Invalid Division for Operator: IT 

Pega
September 13, 2019 - 1:13pm

Hi,

For this issue you need to get the SAMLResponse being sent to PRPC. You have debug on so you probably have the Base64 encoded value for the SAMLResponse in our logs, don't post it here please. You just need to decode that and then look at where the operator id reference really is, NameID or an attribute. You wouldn't use an attribute unless you know the attribute being used. 

--Chris

 

 

September 13, 2019 - 3:14pm
Response to ChrisKoyl

Hi Chris, I traced the SAML response and all the attributes and NameID exist in the saml response. Its getting the operator from saml and a validation in Pega out of box code is throwing error which says invalid division. Iam just checking if any faced this issue and got a resolution.

I checked my org, div and unit rules and everything looks ok.

Thanks, 

Veera

September 17, 2019 - 9:15am

This issue has been resolved by using the NameID and model operator as reference "By Organization hierarchy" You dont need to provide any pre and post activities in latest versions. But inorder to build the access groups from the roles retruned from idp, we need an post activity.

This loop can be closed.

Mod
September 17, 2019 - 9:43am
Response to VeeraKishoreS

Thank you! We have marked this post as Answered.

Lochana | Community Moderator | Pegasystems Inc.