Question

SAML authentication fails - how to trace?

Hi,

We're trying to setup SAML authentication for Pega 8.2 and so far we've managed to get the following working:

1. Using the Login URL displayed in the SAML 2.0 tab, we get redirected to the IDP
2. Login works fine in the IDP
3. When IDP redirects me to Pega again, I end up on the ordinary login page, where I am prompted with username and password. I haven't managed to see anything in the logs.

Can you help me on how to view the logs for this? Do I somehow need to activate ACS service in Pega or can I check that it's alive somehow? We have checked that the ACS address is the same in the IDP, but I don't get any error messages or anything so I don't know what's happening.

This is what is auto generated in the Service Provider settings:
Entity Identification:
http://<MyHostAddress>/prweb/sp/1561056963
Assertion Consumer Service (ACS)
http://<MyHostAddress>/prweb/PRRestService/WebSSO/SAML/v2/AssertionConsumerService

Regards
Niclas

Comments

Keep up to date on this post and subscribe to comments

Pega
June 25, 2019 - 11:48am

Hi,

Please enable below loggers in DEBUG mode and reproduce the issue it will generates the logs.

com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils

com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseSSOProfileValidator

com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator

Rule_Obj_Activity.pySAMLWebSSOAuthenticationActivity

Thanks,

Kranthi

June 26, 2019 - 3:20am
Response to gundk

Hi,

The only logger that exists is com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils, the other three aren't there.

/Niclas

 

Pega
June 25, 2019 - 8:07pm

Hi Niclas,

To enable logger as mentioned in above comment you can follow below path:

Dev Studio-> Configure -> System --> Operations --> Logs --> Logging Level Setting --> Provide Logger name one by one --> Set Current Level to Debug.

Once you get the logs, you can Reset all logger to default as this may increase logs size.

In addition to above loggers, you can also use SAML browser tracer which is available for free. Which will helps you to see the flow, where it went wrong.

PS: Share SAML tracer and pegarules logs here if you want us to look into the issue.

Regards,

-Prakhar

June 26, 2019 - 4:19am

So, these libraries can't be found from the logger view, do they need to be installed separately somehow?

com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseSSOProfileValidator

com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator

Rule_Obj_Activity.pySAMLWebSSOAuthenticationActivity

/Niclas