Support Article
SSO not working properly
SA-82910
Summary
In the Service Provider (SP) Metadata the certificate information is not stored. Therefore, the SAML Authentication does not work.
Error Messages
(Admin_Security_SSO_SAML.Action) ERROR |Rest|WebSSO|SAML|sp
metadata|AZ4BTGJZI5IVTUQMS8MER7TXQ336SBU7R - Failed to get certificate
com.pega.pegarules.pub.PRRuntimeException: Unable to open keystore instance.
com.pega.pegarules.pub.database.AuthorizationException: You are not authorized to delete instance DATA-ADMIN-SECURITY-KEYSTORE-KID EOCADFSKEYSTORE!XYZ
at com.pega.pegarules.pub.database.AuthorizationException.createCannotDeleteException(AuthorizationException.java:280) ~[prpublic.jar:?]
at com.pega.pegarules.data.internal.access.Deleter.delete(Deleter.java:694) ~[prprivate.jar:?]
Steps to Reproduce
In Designer Studio, open the Authentication Service and download the SP Metadata. In the metadata XML, the complete <KeyDescriptor> section is missing.
Root Cause
Unable to open the keyStore record since it referenced old entries in the pc_data_adm_seckeyid table.
Resolution
Perform the following local-change:
- Delete the old Keystore ID (KID) entries from the <dataschema>.pc_data_adm_seckeyid table.
- Delete the keyStore record from the Pega instance.
- Reimport the metadata. The keyStore record is recreated.
- Validate the keyStore record instance from the database.
- Remove the Verification Certificate from the Rule form.
- Re-add the certificate to the Rule form.
Published August 19, 2019 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.