Authentication Service form – Completing the SAML 2.0 tab
Select the Enable SAML (SSO) Authentication check box to activate SAML authentication. If this check box is not selected, you cannot use servlets mapped to this authentication service for logging into Pega Platform using SAML web SSO.
Provide or manage information in the fields below.
All the fields in the Identity Provider (IdP) information section and the Service Provider (SP) settings section support the Global Resource Settings syntax (=PageName.PropertyName).
Identity Provider (IdP) information
You can upload IdP information from a URL or a file. Click the Import IdP metadata link and select Upload Metadata via URL (and provide the URL) or Upload Metadata via File (and browse to the file to upload). Click OK to upload the information and populate the fields in the next section, or click Cancel to abandon the upload and close the form. You can manually enter the information instead of uploading it.
If you choose Upload Metadata via URL and the URL points to an HTTPS endpoint, the server certificate must be present in the default truststore of the application server on which Pega Platform is deployed.
- Entity Identification (Issuer) - Provide the IdP entity ID.
- Login (SSO) protocol binding - Select HTTP POST, HTTP Artifact, or HTTP Redirect.
- Login location - Provide the IdP SSO service URL.
- Logout (SLO) protocol binding - Provide the IdP SSO service binding. Select HTTP Redirect or SOAP.
- Logout location- Optional. Provide the single logout service URL.
- Artifact Resolution Service (ARS) location- Provide the URL used by the service provider to send the artifact resolve request to the IdP if HTTP Artifact is selected for the Login (SSO) protocol binding under Service Provider (SP) settings.
- Verification certificate - Provide the IdP signing certificate alias and expiry date. Click the Pencil icon to display a form where you can provide certificate information:
- Certificate store - Select the keystore that contains the IdP Public Key used for verifying the signature of the SAML assertions.
- Alias - Corresponds to the certificate alias in the keystore you selected above.
If you import IdP metadata, if the Certificate Store field is blank, the system creates a keystore instance and adds the idP certificate to the new keystore instance. The system sets the alias of the entry in the keystore to the certificate's issuer name and sets the keystore password to rules.
If the Certificate Store field is not blank and points to a valid keystore instance when you import the IdP metadata, the system adds the IdP certificate to the existing keystore instance. The system sets the alias of the entry to the certificate's issuer name.
- TLS/SSL truststore - Select the truststore record that contains the server certificate to use in a TLS/SSL handshake, or click the Add icon to create a new one.
Select or create a truststore record if you have provided a secure Logout location or a secure Artifact Resolution Service (ARS) location, and you have not added the TLS/SSL certificate to the truststore of your JVM.
Service Provider (SP) settings
The system populates the first six fields below with default values. If you edit these values and later want to recover the default values, click Reset.
- Entity Identification - For new authentication services, the system provides an auto-populated entity ID.
- Login (SSO) protocol binding - For new authentication services, the system provides a default login protocol binding, which you can edit. Select HTTP POST or HTTP Artifact.
- Assertion Consumer Service (ACS) location - For new authentication services, the system provides the URL of the standard ACS REST service URL.
- Redirect logout location - For new authentication services, the system provides the URL of the standard logout REST service.
- SOAP logout location - For new authentication services, the system provides the URL of the standard logout SOAP service.
- Artifact Resolution Service (ARS) location - For new authentication services, the system provides the URL of the standard ARS to send the artifact resolve request to the IdP.
- Disable request signing - Select this check box to disable signing of authentication and logout requests from your application to the Identity Provider (IdP).
- Signing certificate - Provide the SP Private Key to sign the SAML Authentication and Logout Requests. Click the pencil icon to display a form where you can select the keystore that contains the private key, private key alias, and password to use. To obtain the password using a Rule Utility Function (RUF), select the Rule Utility Function radio button and specify the name of the RUF in the Original Signing password RUF field. Select thePROVIDE PASSWORD BY REFERENCE check box to apply the Global Resource Settings syntax in the SIGNING PASSWORD field.
- Decryption certificate - Provide the SP Private Key to decrypt response from IdP for the Authentication and Logout Requests. Click the pencil icon to display a form where you can select the keystore that contains the private key, private key alias, and password to use. To obtain the password using a Rule Utility Function (RUF), select the Rule Utility Function radio button and specify the name of the RUF in the Original Signing password RUF field.
Click the Download SP metadata link to download the service provider SAML metadata.
You must save the authentication service instance before you can download the metadata.
Advanced configuration settings
- Use PegaRULES Timeout - This check box is selected by default, and it enables you to use the authentication time-out value that is specified in your access group. You can deselect this if you do not want to use the time-out value.
- Timeout activity - Enter or select the name of the time-out activity to use. The selection list shows all activities that apply to the Code-Security class. The default time-out activity to use for SAML Web SSO is pySAMLWebSSOTimeoutActivity.
- Authentication activity - Enter or select the name of the authentication activity to use. The selection list shows all activities that apply to the Code-Security class. The default authentication activity for SAML Web SSO is pySAMLWebSSOAuthenticationActivity. See More about authentication services for requirements for such activities.
- Force authentication - Select this check box if you want the system to reauthenticate users for every new or expired session.
Open topic with navigation