Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

SR-D23239 · Issue 499595

Support added for multi-operator SAML logins

Resolved in Pega Version 8.3.1

When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.

SR-D47611 · Issue 513113

HTTPS login path issue resolved

Resolved in Pega Version 8.3.1

When using iOS, entering wrong credentials for a login with an https endpoint converted the URL to http. This was traced to a case where the resourcePath was coming as http in SSL enabled system, but the reqURI was still https. To correct this, the system has been updated so that if the reqContextURI starts with https and the requestURL starts with http, then the requestURL will be converted to https.

SR-B66996 · Issue 312205

Access control policy logic added for non-work/data/assign classes

Resolved in Pega Version 7.3.1

As part of ABAC (Attribute-based access control) restrictions, if a class property was of type PageList, security had to be created in the PageList property class type. However, if the pagelist was of type "Embed-" class then it was not possible to create security policy due to the inability to apply property masking for page list properties of that class. To resolve this, property masking implementation logic has been added to support page list properties of non-work/data/assign classes for access control policies.

SR-B66996 · Issue 315524

Access control policy logic added for non-work/data/assign classes

Resolved in Pega Version 7.3.1

As part of ABAC (Attribute-based access control) restrictions, if a class property was of type PageList, security had to be created in the PageList property class type. However, if the pagelist was of type "Embed-" class then it was not possible to create security policy due to the inability to apply property masking for page list properties of that class. To resolve this, property masking implementation logic has been added to support page list properties of non-work/data/assign classes for access control policies.

SR-B55119 · Issue 312817

Handling added for absent property in Access When

Resolved in Pega Version 7.3.1

Configuring Access Control Policy to automatically restrict access to certain records by including an Access When rule to compare a custom property (.Consultant) on the OperatorID (Data-Admin-Operator-ID) page generated an exception if that property did not actually exist on the current operator. This has been resolved by revising the security policy engine to handle the exception.

SR-B71077 · Issue 323027

IDP Encrypted connections working on SAML

Resolved in Pega Version 7.3.1

IDP initiated SAML 2.0 was not working, and generated the error "Unable to process the SAML WebSSO request : Missing Relaystate information in IDP Response". Authentication worked fine with unencrypted SAML token. This schema validation failure happened because encrypted attributes were previously being ignored by Pega due to an issue in the underlying openSAML library. To resolve this, a custom PegaSAMLValidator has been inserted to validate the assertion and honor encrypted attributes.

SR-B56328 · Issue 312168

RARO rules more secure against deletion

Resolved in Pega Version 7.3.1

In order to make RARO rules more secure, the system has been updated such that Class Permissions can't be deleted from the role unless the operator has permission and is operating in a valid context (unlocked ruleset). This has been done by revising the Role rule form to disable the delete button when RARO/RADO is in a locked ruleset.

SR-B57046 · Issue 314358

Parameters removed from on-screen error messages to protect sensitive data

Resolved in Pega Version 7.3.1

It was discovered that sensitive information such as account numbers used as parameters were being displayed in exception error messages displayed on the screen. Including the parameters as part of the error is intended to aid in debugging the problem, but these parameters do not need to be displayed in the UI. In order to protect potentially sensitive data, parameter values have been removed from the exception message. When the DeclarativePageDirectoryImpl logger is enabled, the parameters will be entered into the Pega log files and not shown on screen.

SR-B67143 · Issue 316168

Proxy configurations made available to OAuth2 and other clients

Resolved in Pega Version 7.3.1

Setting up Proxy for the REST Connector was not working when using OAuth2. When using OAuth2 authorization for Connector features including REST Connectors, the com.pega.pegarules.integration.engine.internal.client.oauth2.OAuth2ClientImpl class is used for connections to the OAuth2 Provider for interactions such as fetching authorization tokens. However, OAuth2ClientImpl does not have the required code for "picking up" the JVM-level proxy settings and applying them to the HTTP Client it uses, so the HTTP calls to the OAuth2 provider were always bypassing the configured HTTP proxy. In order to resolve this and enhance future use, the code in the RESTConnector module that allows REST Connectors to use HTTP Proxies has been extracted out into the "HTTPClientUtils" module so that it can be used by any consumer to apply the system's Proxy configuration to any instance of PegaRESTClient. OAuth2ClientImpl has been updated to call this during HTTP client setup, prior to making the request for data from OAuth2 Providers, and RESTConnnector has been updated to call this new implementation to replace the universal Proxy code that was refactored out of it.

SR-B66204 · Issue 316885

XSS sanitizing added to clientID field

Resolved in Pega Version 7.3.1

During the time of construction of a ServiceRequest in the engine , the clientID field will be sanitized with the StringUtils.crossScriptFiltering API to avoid XSS attacks.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us