Issue while setting up SAML authentication: ArrayIndexOutOfBoundsException in java method populatePOSTBodyParams / processSSOResponse
We are setting up SAML authentication in Pega 7.4.0 with an external Identity Provider on Dev environment. Pega succesfully routes the user to the identity provider and the user also gets succesfully redirected back to the Service Provider (our Pega application).
Then the OOTB REST service AssertionConsumerService (for POST method) gives a 500 status code (Internal Server error). While analyzing, we found out that the OOTB service activity pzAssertionConsumerServiceV2Activity gives an ArrayIndexOutOfBoundsException in step 1. This activity only contains java:
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ACSHandler.populatePOSTBodyParams(SAMLv2ACSHandler.java:459) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ACSHandler.executePostBindingFlow(SAMLv2ACSHandler.java:368) ~[printegrint.jar:?]
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ACSHandler.processSAMLResponse(SAMLv2ACSHandler.java:71) ~[printegrint.jar:?]
What we tried to find out the issue
- Enable service monitoring on the WebSSO to catch the incoming request (SAML assertion data) to the REST service. Use Base64 Decode + Inflate to see (partly) what was in the message;
- Enabled DEBUG logging on classes Rule_Obj_Activity.pzAssertionConsumerServiceV2Activity.Data_Admin_Security_SSO_SAML.Action and com.pega.pegarules.session.internal.mgmt.authentication. This gave no extra information;
- Run the REST service and then trace it. Seeing a FAIL on step 1 with message Error while executing SAML SSO flow : 1;
- Making some changes to the authentication service rule.
Any suggestions to debug this further?
***Edited by Moderator Marissa to update platform capability tags***
thanks for you answer. I didn't find any SAML tracer chrome plug-in, but I found SAML Chrome Panel, SAML Message Decoder and SAML DevTools extension. Do you want to see the encoded message from the log, or (part of) the decoded message? For now, sharing the decoded AttributeStatement where I changed the name.