Posted: 27 Mar 2021 8:36 EDT Last activity: 7 Apr 2021 3:19 EDT
cLSA Security Excellence webinar - SAML 2.0
Step 5 needs to return to the node from where Step 1 was initiated. The question is we do not have a user session yet, so why do we need session affinity at this point. We are using Pega 8.3 and if the SAML response is not redirected to the node from where the request was initiated, it fails.
Session Affinity is established at step 8 when the Pega-RULES cookie is issued. The Load Balancer should then ensure affinity based on the Pega-RULES cookie. The AssertionConsumer response at step 5 can be processed by any webuser node. I don't think your SAML response can be failing because of the webuser node it is being processed on. There are multiple reasons why a SAML response will not result in successful authentication. I have not observed the pattern you are mentioning.
@sleij - Thanks for the response James. That is what we thought but it only works when it goes to the same node from where the request was initiated. Any known bugs w.r.t to this in the version 8.3.0 we are on? Could you suggest some things we should check in our configuration?
@sleij I did a fact finding mission with Pega Engineer Julius Li, and indeed Pega SAML implementation creates a session when SAML Authentication is initiated and requires Step 5 to return to this session for it to work. So session affinity is required even before user is authenticated and user session is created in Step 8. Other SAML implementations I have seen do not work like this, and are stateless till the user session is created. You may want to talk to the product team about this and fix the implementation.
I dont believe the Pega SAML implementation works any different to other technologies. If you havent done already could you please create an SR and provide the logs. There is no logical reason for a difference in processing the SAML response based on node. They should be able to process this further and work with the product teams to get any potential issue resolved.