Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Updating an expired Service Provider certificate in a SAML Authentication Service

Updated on June 30, 2021

If you are using a SAML Authentication service and your Service provider certificate has expired, then you need to create a new keystore, select that keystore under Service Provider details, and re-export the service provider metadata to the identity provider.

To complete this process, you must complete the following 3 tasks in this order:

  1. Create a keystore with a valid expiration.
  2. Configure the keystore.
  3. Re-export the service provider metadata into the Identity Provider metadata.

Create a keystore with a valid expiration

A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. A valid expiration is any expiration date that is in the future.

  1. Follow the steps in Creating a keystore for application data encryption.

Configure the keystore

Note: There are several ways to configure a keystore in Pega Platform. In this example, we will be uploading a keystore. If you are using an alternative method for creating a keystore, see Keystores.

Now that you have created a keystore, you need to configure it.

Open a keystore you just created by:

  1. In the navigation panel of Dev Studio, click RecordsSecurityKeystore and select a keystore from the instance list.
  2. Click Upload file.
  3. Click Choose File, browse to the keystore file, and select it.
  4. Click Upload file.
  5. In the Keystore type field, enter the keystore file type: JKS, JWK, PKCS12, KEYTAB, or KEY.
  6. In the Keystore password field, enter the password to the keystore file.
  7. Click Save.

Re-export the Service Provider metadata into the Identity Provider metadata

The Service Provider and Identity Provider need to communicate with one another. To finalize the process, you need to export the updated SP metadata, and then add it into the Identity Provider.

  1. In the side panel of Dev Studio, click RecordsSysAdminAuthentication service.
  2. Select the SAML authentication service that you need to update.
  3. In the Service Provider (SP) settings section of the SAML 2.0 tab, click the Download SP metadata text.
    Note: This will open a new tab with the system's metadata in XML.
  4. Import the SP metadata into your Identity Provider.
  • Previous topic Updating an expired identity provider certificate in a SAML Authentication Service
  • Next topic Configuring SSO login authentication with an OpenID Connect identity provider

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us