Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SSO not working properly



In the Service Provider (SP) Metadata the  certificate information is not stored. Therefore, the SAML Authentication does not work.

Error Messages

(Admin_Security_SSO_SAML.Action) ERROR |Rest|WebSSO|SAML|sp
metadata|AZ4BTGJZI5IVTUQMS8MER7TXQ336SBU7R  - Failed to get certificate Unable to open keystore instance. You are not authorized to delete instance DATA-ADMIN-SECURITY-KEYSTORE-KID EOCADFSKEYSTORE!XYZ 
at ~[prpublic.jar:?] 
at ~[prprivate.jar:?]

Steps to Reproduce

In Designer Studio, open the Authentication Service and download the SP Metadata. In the metadata XML, the complete <KeyDescriptor> section is missing.

Root Cause

Unable to open the keyStore record since it referenced old entries in the pc_data_adm_seckeyid table.


Perform the following local-change: 
  1. Delete the old Keystore ID (KID) entries from the <dataschema>.pc_data_adm_seckeyid table.
  2. Delete the keyStore record from the Pega instance.
  3. Reimport the metadata. The keyStore record is recreated.
  4. Validate the keyStore record instance from the database.
  5. Remove the Verification Certificate from the Rule form.
  6. Re-add the certificate to the Rule form.

Published August 19, 2019 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us