Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Configuring the Security Token Service to work with Robot Manager

Updated on November 10, 2021
Pega Robot Studio v21 Preview

To configure the Security Token Service for use with Robot Manager, you must perform several tasks in several applications, including the Security Token Service and Pega Platform. The following figure provides an overview of the tasks that you must complete after you set up Robot Manager:

Configure STS with Robot Manager

  1. Start the Security Token Service to export the token-signing certificate.
  2. Click Token Signing and select the certificate that you want to export in the STS Token Signing Certificate field.
  3. Click Export Public Cert to export the certificate.
  4. If you are using AD FS with Robot Manager, you need a key type and a password. Save the certificate as a Java KeyStore (JKS) or Public-Key Cryptography Standards (PKCS12) file and include a password.
  5. In Pega Platform, select Records > Security > Keystore > Keystore Instance to upload the token-signing certificate. The following is an example:
  6. Select the SSL certificate or Site SSL certificate that you use to verify communication between Robot Runtime and the server that hosts the Security Token Service.
  7. Select the type of keystore, such as JKS or PKCS12. Select PKCS12 if the certificate is exported by the Security Token Service.
  8. Enter the password for the keystore. Leave this field empty if the certificate is exported by the Security Token Service. Click Save.
  9. Click Identity Mapping Records > Security > Identity Mapping to map the TrustStore and define how the operator is identified, and then click Save.
    Note: The TrustStore is the rule that is created to store the certificate.
    Typically you accept the default, Authenticate by Username Only, so the system authenticates using the [email protected] email address for the currently logged-in user.
    To use a claim that differs from the User Principal Name (UPN), choose LDAP or Active Directory. For instance, you would choose LDAP or Active Directory to authenticate by email address or some other unique identifier.
  10. Set the attribute mapping. The default is the UPN but you can add other criteria, such as the email address or user name, if your organization’s security policies require it.
  11. Click Records > Security > OAuth 2.0 Client Registration and create an OAuth 2.0 client registration.
  12. Select SAML bearer as the grant type and select the identity mapping that you just created.
  13. Add the identity mapping that you created to the Client Instance.
  14. Click Save and download the Client Secret data.
    Client Credentials
  15. Open the CommonConfig.xml file in a text editor and enable Robot Manager and IdP connectivity to set up Robot Runtime and Robot Studio connectivity to the Robot Manager using the Security Token Service.
  16. On the Server name=”IdP” line, replace the value for the baseURL key with the applicable value for your organization. The following is an example:
       <Server name=”RobotManager” enabled=”false” baseURL=” RPA=”false” workgroup=”Custome service” robotName=”{MachineName}” authenticationType=”Basic” RPAServiceOperator=”{MachineName}_RPA” />
       <Server name="IdP" enabled=”true” baseURL="https://sts-hostname/OSTS/SecurityTokenService.svc/IWSTrustFeb2005" />
    1. Enter a URL in the baseURL key in this format:
    1. Replace sts-hostname with the host name of your server. For more information, see Common configuration settings.
      Note: Only Pega RPA attended mode is supported.
  17. In the Security Token Service, add the relying party for your Pega Platform instance and its attributes. The following is an example:
  18. Define the ClientId and ClientToken attributes. The system retrieves values from the Client Registration rule in Pega Platform and provides those values as defaults.
    These attributes correspond to the client ID and client secret credentials that are generated in Pega Platform. When you set up a client under OAuth 2.0 Client Registration, you can view and download a file that contains the client ID and client secret.
    Note: You can only retrieve the secret one time. If you forget the secret, click Regenerate client secret to create a new one.Note: If you change any of the values, Pega Platform re-generates the client secret and places the secret and the existing client ID in a file that you can download.
  19. In the Security Token Service, click Logging.
  20. In the Logging Configuration page, make entries in the following fields to specify how the system logs information:
    EnabledSelect this check box to turn on logging. Remove the check mark to turn off logging. Logging information can help resolve any issues that might arise. The default is On.
    Log LevelThis field determines the amount of information the system includes in the log files. You have these choices:
    • All — This level records all output.
    • Debug — This level records error, warning, informational messages, and verbose debugging output. This option generates a large number of messages and is not recommended when used with multiple trace source selections.
    • Error — This level records error messages, indicating the application was not able to perform a task as expected. The Security Token Service is, however, still running.
    • Fatal — This level records negative events that indicate unexpected processing or an error. Only certain unhandled exceptions are reported.
    • Info — This level (the default level) records error, warning, and informational messages. It includes successful milestones of application execution, regardless of whether the Security Token Service is working properly, and provides an overview of what happened.
    • Warn — This level records both error and warning messages.
    FileEnter the file name and path for the log file or click Browse to select it.
    Maximum # Log FilesThe number you enter specifies how many log files to retain at one time. The default is 10.
    Maximum Log File SizeThe number you enter specifies how large, in megabytes, a log file can be before the system starts another log file. For instance, if you enter 10 here, once the log file grows to 10 megabytes, the system starts a new log file. (The default is 10 mb.)
  21. When finished, choose File > Save to save your changes. Then close the Security Token Service Console.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us