SAML Authentication not working post upgrade from v7.3.1 to v8.3.1

Our application has been upgraded from 7.3.1 to 8.3.1. Post upgrade the SAML authentication is not working.

In 8.3.1 the SAML Auth Service rule form has been changed.

Currently we are facing issues to map the pyUserIdentifier and also there is no provision to place the TimeOut and Authentication activities. Has any one faced similar issues? If so what is the resolution for that?




Keep up to date on this post and subscribe to comments

November 28, 2019 - 4:28am

Mapping of .pyUserIdentifier property is not required in Platform 8.x

November 28, 2019 - 8:19am

TimeOut - Use Checkbox "Use Access group timeout"

Authentication - This will be called automatically.

December 6, 2019 - 4:34am
Response to agarp3

What if I want to customize the time out and authentication?

December 2, 2019 - 9:21am


If you are using a customized version of SSO activity from 7.3.1 in your 8.3.1 you will need to re-customize as per the 8.3.1 version SSO OOTB activity.

Also, check pySAMLWebSSOAuthenticationActivity for any changes.

December 6, 2019 - 4:55am

I followed many posts and came up with a half cooked solution. Steps I followed are :

1. In operator Provisioning, I used a Data Transform to obtain the model operator. (This is a business requirement as we have different model operators based on variable AD Groups). This DT is called only for non existing operators (i.e operators that do not have id in pega)

2. Used the Mapping Tab to set the OperatorID properties from a DPage ( Requestor Level of class Data-Admin-Operator-ID). The Dpage uses a DT as source and I checked that this DPage is called every time an operator logs in, irrespective of whether it is an existing operator or not. This DPage is mainly used for dynamic loading of the access groups based on AD Mapping received from the SAML Assertion Page. But a major drawback is that this mapping tab does not allow me to map the page / pagelist type properties like pyWorkGroupList. The map from column has an expression builder form, i tried executing a DT / activity from it, but it does not allow me to set the Work Group List.

3. Used a Post Authentication activity to set the WorkGroup List. However some issues faced while using this post authentication activity is that 

- In order to avoid the Java step used in the OOTB activity pySSOPostAuthenticationActivity i tried calling the OOTB activity from my custom activity, but it failed due to some reasons. So went with introducing a Severe Warning by copying the JAVA step in my custom activity.

Other assumptions and confusions that I still have are:

- Authentication, token validation etc are now handled internally.

- Regarding Challenge Stream, where do I configure those?

- How will I configure custom time out activity?