Problem in verifying and validating the token while authenticating with SAML. User getting error on the screen “Unable to process the SAML WebSSO request: You%27re not authorized to access application name the application
We installed HFIX-42795.jar Hotfix some time back to support WS-FED protocol.
HFIX-42795: Parsing the RSTR token and processing the SAML assertion is performed on step 5, using the new processSAMLv2Assertion Java method imported in to Pega using the hotfix provided by Pega Engineering (HFix-42795).
It was working fine for some time and from yesterday it is giving error in all the environments. We didn't make any changes or moved any code.
Steps to Reproduce:
Log in as user with SSO url.
Error is shown to the user, screen shot attached along with java code which is failing.
Verified certificate and it is valid and not expired.
Same certificate is working fine from .net and other applications.
Issue is happening in SSO activity "pyWSFedWebSSOAuthenticationActivity"
Research & Solution:
Time difference between the authentication server & pega server is 3hr’s which is causing issue. When the token is returned from authentication service will send Valid from and Valid to (60 min) along with the token. So because of the time difference current time is not falling between the time periods provided by the authentication service so we were getting error.
We had call with Pega & got the classes (which are part of Hotfix source code) to be traced and after tracing we found that the current date time is not falling between validate from & validate to.
After syncing the timing between the servers the issue is resolved.
Follow Up Question / Enhancement Request:
Except Pega other applications in the organization are working fine even there is a time difference between the servers.
This is because they configured it such a way that it will accept 3hr’s difference but in Pega we are not able to do it as it is coming from Apache code which is defaulted to 60Sec.
When we checked Source code of the class SamlAssertionValidator.java it is adding FutureTTL 60Sec to the actual timings and it is fixed value.
A feedback request has been created on your behalf in our internal portal. The feedback ID is tagged to the issue description above (under Related Support Case Number). Use this FDBK ID as reference to connect with your Pega Account Executive to track the progress of this request.