Authentication Service form
Completing the SAML 2.0 tab

Note: this tab only appears for SAML 2.0 authentication services.

Select the Enable SAML (SSO) Authentication check box to activate SAML authentication. If this box is not checked, you cannot use servlets mapped to this authentication service for logging into Pega 7using SAML web SSO.

Provide or manage information in the fields below.

Identity Provider (IdP) information

You can upload IdP information from a URL or a file. Click the Import IdP metadata link and select Upload Metadata via URL (and provide the URL) or Upload Metadata via File (and browse to the file to upload). Click OK to upload the information and populate the fields in the next section, or click Cancel to abandon the upload and close the form. You can manually enter the information instead of uploading it.

Note: If you choose Upload Metadata via URL and the URL points to an HTTPS endpoint, the server certificate must be present in the default truststore of the application server on which Pega 7is deployed.

• Entity Identification (Issuer) - Provide the IdP entity ID.
• Login (SSO) protocol binding - Select HTTP POST, HTTP Artifact, or HTTP Redirect.
• Login location (SSO) - Provide the IdP single-sign-on service URL.
• Login protocol binding - Provide the IdP single sign-on service binding. In 7.1.6, the only option is HTTP POST.
• Logout location (SLO) - Provide the single logout service URL. Starting in Pega 7.1.6, the only option is HTTP Redirect.
• Verification certificate - Provide the IdP signing certificate alias and expiry date. Click the pencil icon to display a form where you can provide certificate information:
  • Certificate store - Select the keystore that contains the IdP Public Key used for verifying the signature of the SAML assertions.
  • Alias - Corresponds to the certificate alias in the keystore you selected above.
  Note: If you import IdP metadata, if the Certificate Store field is blank, the system creates a keystore instance and adds the idP certificate to the new keystore instance. The system sets the alias of the entry in the keystore to the certificate's issuer name and sets keystore password to rules.
  If the Certificate Store field is not blank and points to a valid keystore isntance when you import the IdP metadata, the system adds the IdP certificate to the existing keystore instance. The system sets the alias of the entry to the certificate's issuer name.

Service Provider (SP) settings

Note: the system populates the first three fields below with default values. If you edit these values and later wish to recover the default values, click Reset.

• Entity Identification - For new authentication services the system provides an auto-populated entity ID, which you can edit if you wish.
• Assertion Consumer Service (ACS) location - For new authentication services the system provides the URL of the standard ACS REST service URL. You can edit this if you wish.
• Single logout location - For new authentication services the system provides the URL of the standard Logout REST service. You can edit this if you wish.
• Signing certificate - Provide the SP Private Key to sign the SAML Authentication and Lougout Requests. Click the pencil icon to display a form where you can select the keystore that contains the private key, private key alias, and password to use.
• Decryption certificate - Provide the SP Private Key to decripty response from IdP for the Authentication and Logout Requests. Click the pencil icon to display a form where you can select the keystore that contains the private key, private key alias, and password to use.

Click the Download SP metadata link to download the service provider SAML metadata. Note: you must save the authentication service instance before you can download the metadata.

Advanced configuration settings

• Timeout activity - Enter or select the name of the timeout activity to use. The selection list shows all activities that apply to the Code-Security class. The default timeout activity to use for SAML Web SSO is pySAMLWebSSOTimeoutActivity.
• Authentication activity - Enter or select the name of the authentication activity to use. The selection list shows all activities that apply to the Code-Security class. The default authentication activity for SAML Web SSO is pySAMLWebSSOAuthenticationActivity. See More about authentication services for requirements for such activities.

Check the Disable request signing check box to disable signing of authentication and logout requests from your application to the Identity Provider (IdP).

About Authentication Services

Open topic with navigation