Close popover
Close popover LinkedIn
Copied!

Table of Contents

Overriding the service provider settings for a SAML SSO authentication service

Version:

8.5

The service provider settings for a SAML SSO authentication service are automatically populated when you create the authentication service. You can override the default values.

For the SAML ruleform, Global Resource Settings are supported. For more information, see Fields that support the Global Resource Settings syntax.

  1. Open the service from the navigation panel in Dev Studio by clicking Records SysAdmin Authentication Service and choosing a service from the instance list. On the SAML 2.0 tab, expand the Service Provider (SP) settings section.

  2. In the Entity identification field, enter an entity ID that is auto-populated in the new authentication services.

  3. In the Login (SSO) protocol binding list, the system provides a default protocol binding. You can change the binding protocol to one of the following.

    • HTTP Post – SAML protocol messages are transmitted in an HTML form with base64-encoded content.
    • HTTP Artifact – SAML protocol messages are transmitted using a unique identifier called an artifact. Select this protocol if you do not want to expose the content of the SAML message during connection.
    • HTTP Redirect – SAML protocol messages are transmitted within URL parameters.

  4. In the Assertion Consumer Service (ACS) location field, override the system-provided URL of the standard ACS REST service URL.

  5. In the Redirect logout location field, override the system-provided URL of the standard logout REST service.

  6. In the SOAP logout location field, override the system-provided URL of the standard logout SOAP service.

  7. In the Artifact Resolution Service (ARS) location field, override the system-provided URL of the standard ARS to send the artifact resolve request to the IdP.

  8. To disable the signing of authentication and logout requests from your application to the Identity Provider, select the Disable request signing check box.

  9. To reject all unsigned SAML assertions, select the Reject unsigned assertion check box.

  10. To select the SP Private Key to sign the SAML authentication and logout requests, in the Signing certificate section, click the Pencil icon.

    1. In the KEYSTORE NAME field, press the Down Arrow key and select the keystore that contains the private key, private key alias, and password to use.

    2. Click Submit.

  11. In the Decryption certificate section, click the Pencil icon to select the SP Private Key to decrypt the response from the IdP for authentication and logout requests.

    1. In the KEYSTORE NAME field, press the Down Arrow key and select the keystore that contains the private key, private key alias, and password to use.

    2. Click Submit.

  12. To download the service provider metadata, click Save, and then click Download SP metadata.

  13. Click Save.

Enforcing policies from the Security Policies landing page

  • Authentication services

    To override or extend the default authentication process, create and configure an authentication service.

  • More about authentication services

    This page describes additional topics relevant to authentication services that are not directly referenced on the rule form.

  • Configuring a SAML SSO authentication service

    After you create a SAML SSO authentication service, configure it so that Pega Platform uses the specified identity provider for authenticating users. You can map attributes from the identity repository to properties in Pega Platform, and also configure optional features such as preauthentication and postauthentication activities and operator provisioning.

Pega Platform 8.4

Updated on June 5, 2020

Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center