- Ensure that you have access to the Java Keytool utility by downloading and installing a version of Java Runtime Environment (JRE) or Java SDK.
- Add and register an application in the Microsoft Azure portal so that you can integrate the application with the Microsoft identity platform and call Microsoft Graph. Ensure that you have administrative access to the application.
- Note the client ID and client secret parameter values of your application.
- Open your preferred terminal tool.
- Use the
keytoolutility to generate the
.jkskeystore file by entering the following command in the command prompt:
keytool -genkeypair -alias mydomain -keyalg RSA -keystore <keystore_name.jks> -keysize 2048 -storepass "<keystore_password>"
- Generate a
.cercertificate file by entering the following command in the command prompt:
keytool -v -export -file MicrosoftAzureSMAPI.cer -keystore <keystore_name.jks> -alias mydomain
- Upload the certificate file to Microsoft Azure:
See the following figure for reference:For more information, see the Microsoft Azure documentation.
- Open the Microsoft Azure Portal in a browser window, and then log in with admin credentials.
- In the Microsoft Azure Portal, in the Azure Active Directory, search for and open the application that you registered.
- In the Certifications & secrets menu, on the Certificates tab, click Upload certificate.
- Upload the
.cerfile that you generated in step 3 by following the on-screen instructions.
- After you upload the file, copy and save the value in the Thumbprint column.
- In Pega Platform, create a keystore by uploading the
.jksfile that you generated in step 2.For more information, see Configuring a keystore by uploading a file.
- In Pega Platform, create an instance of a generation JSON
Web Token profile.For more information, see Creating a generation JSON Web Token profile.
- In the Headers section, configure the following header
Name Map from Map from key x5t Constant This value is the thumbprint of the certificate that you generated in step 3, converted from the hexadecimal to base64 format.
- In the Registered claims section, configure parameters for
the following claims:
Name Map from Map from key Issuer (iss) Constant The external ID of your client ID. Audience (aud) Constant Your tenant ID in the following format: https://login.microsoftonline.com/<tenant_ID>/v2.0 Subject (sub) Constant The external ID of your client ID.
- In the Custom claims section, configure parameters for the
Name Map from Map from key exp Constant
The token expiration time, in the Epoch Unix Timestamp format.
For example, 1644582019 corresponds to Friday, February 11, 2022, 12:20:19, GMT+0000.
jti Constant The unique JWT ID number. Note: The purpose of JWT ID is to revoke previously issued JWTs. nbf Constant The time before which the JWT must not be accepted for processing, in the Epoch Unix Timestamp format.
For example, to limit access to a resource to one hour, set this parameter to one hour before the token expiration time.
- In the Security section, configure the token security
See the following figure for reference:
- In the Security configuration list, select Signature.
- In the Signature type list, select Asymmetric.
- In the Signature algorithm field, enter RS256.
- In the Keystore field, enter or select the keystore instance that you created in step 5.
- In the Alias field, enter or select the alias name of the private key from the keystore that you created in step 5.
- In the Password field, enter the keystore password that you created in step 5.
- Enable single sign-on authentication by creating an OAuth 2.0 profile:For more information, see Configuring an OAuth 2.0 authentication profile.
- In the Client configuration section, in the Grant type list, select Client credentials.
- Populate the values of the Client Identifier and Client secret fields.
- In the Scope field, provide the degree of access
control for the JWT.
For example: read Note: Consider the following points when configuring the scope of access control:
- If you do not specify the scope in the request, the target server might return a default scope, something else, or fail the request.
- You can configure the token with multiple access scopes. In such case, separate each scope with a space, for example, read write
- In the Endpoint configuration section, in the Access token endpoint field, enter the URL that grants the authorization to access the protected resource.
- Expand the Advanced configuration section.
- In the Authentication scheme list, select Private Key JSON Web Token.
- Select Use JWT generation profile.
- In the JWT generation profile field, enter the
name of the token generation profile that you created by following steps
6 through 10.See the following figure for reference:
Generating the JWT keystore and certificate files
Uploading the JWT keystore and certificate files
Configuring a Java Web Token generation profile
Enabling the OAuth 2.0 authentication method for the JWT