Skip to main content

Resolved Issues

View the resolved issues for a specific Platform release.

Go to download resolved issues by patch release.

Browse release notes for a selected Pega Version.

NOTE: Enter just the Case ID number (SR or INC) in order to find the associated Support Request.

INC-118838 · Issue 560691

OKTA receives parameters on logout

Resolved in Pega Version 8.2.7

When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the DB, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.

SR-D95148 · Issue 557483

Port validation updated for redirect URI

Resolved in Pega Version 8.2.7

When an offline app for windows client was generated, trying to login via SSO resulted in the error "invalid redirect_uri". This was traced to the system validating the whole loopback redirection URL, e.g. "", including the port number. To enhance flexibility, an update has been made so that the port number will not be validated, allowing the client to establish it based on availability at the moment of the request to the authorization service. NOTE: As a best practice, a loopback URL should not be configured as a redirect URI. If a loopback URL is configured, then at run time the port number will not be validated, and the client application can use any available port on the system including ports that may not be intended for use.

SR-113624 · Issue 167070

Enabling out-of-the-box Security Policies now redirects immediately

Resolved in Pega Version 7.1.7

When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.

SR-118880 · Issue 172588

Change Password redirect loop fixed

Resolved in Pega Version 7.1.7

When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.

SR-A12775 · Issue 236646

ChangePassword screen now allows custom messages

Resolved in Pega Version 7.2.1

The pzChangePassword activity has been enhanced to allow customizing the change password screen

SR-A14879 · Issue 232530

Improved security for JSON stack

Resolved in Pega Version 7.2.1

To increase security, the response to invalid JSON input will display a generic InvalidStream message rather than the full class name and method name. The complete information will be available in the log.

SR-A15922 · Issue 231258

Support added for cleartext passwords in Snapstart

Resolved in Pega Version 7.2.1

When posting credentials from an external source, the code makes the assumption that the Password value is encoded and therefore it is decoded prior to being handed to the authentication activity in Pega. This is not always the case. If the Password value is passed as clear text the result in the activity is garbled. This creates problems when subsequent authentication is attempted to an external source. To support this handling, a new DASS 'authentication/Snapstart/pwddecode' has been added. When the setting is false, the password is not decoded in Snapstart cases and will necessitate a cleartext password.

SR-A16543 · Issue 235300

Resolved Interaction Portal unexpected close

Resolved in Pega Version 7.2.1

In Google Chrome, launching a secondary portal and encountering a Content Security Policy issue relating to an image caused the secondary portal to automatically close and the developer portal to be refreshed. This was an issue with a mismatch in the pyrequestor token, and has been corrected.

SR-A16960 · Issue 233576

Predictive Analytics rulesets excluded from RSA

Resolved in Pega Version 7.2.1

The Pega-provided Predictive Analytics rulesets were being incorrectly being checked and flagged by the Rule Security Analyzer. The PAD rulesets have now been properly excluded from the RSA check, and further analysis was done to find and fix other RSA flags that should have been excluded.

SR-A19297 · Issue 237347

Added ability to set custom HTTP security headers

Resolved in Pega Version 7.2.1

XSS protections were interfering with the ability to set custom HTTP headers. To enable this, the system will use dynamic system settings from http/responseHeaders and add them to every HTTP response.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us