Logo
  • Products
    • SecOps Studio
  • Solutions
    • Pega Stack Shifter
  • Services
    • Pega Enablement
    • Pega Modernization
  • About
  • Contact
  • Blog
Code Vault

Single Sign On – Part 3 – Configure SP

December 10, 2024 Code Vault Curators

This is the continuation of the previous blog article. In the last article, we saw how we can configure an IdP entity using OpenAM.

For better understanding, please go through the below articles, before proceeding further.

In this post we will see how we can configure a Service provider entity details in Pega authentication service as well in OpenAM application.

We know that Pega plays the role of service provider entity.

 

Let’s start with configuring the service provider in Pega

How to configure the service provider entity in Pega?

Step 1: Create a new authentication service for SSO

Configure-> Org&Security -> Authentication -> Create Authentication Service

 

On the create form, you can select SAML2.0 as the authentication type.

I gave the name as sso1.

 Just to mention that pega already has few servlets name by default for SSO configured in the web.xml file (tomcat->webapps->prweb->WEB-INF). I am gonna use one of the servlet sso1

 Provided the alias name as sso1. Hence my url will be

http://localhost:8080/prweb/PRAuth/sso1

 Okay, next step.

Step 2: Import the IdP metadata

In the previous post at the end, we saved the IdP metadata in an XML file. Upload the same file for importing the data.

 On submitting, you will see all the details are prefilled from the metadata.

 Entity Identification – The IdP host name.

Login protocol binding – Determines the protocol/ method by which the response message is transmitted.

The most recommended binding method is HTTP POST, where the SAML message is a normal POST body

The other methods

HTTP Artifact – this is a secured way, where the SAML message will not be exposed and compressed in a single entity artifact

HTTP Redirect – Here the SAML message is enclosed in URL.

Login location – identifies where the logic service is located in IdP

The similar fields are applicable for Logout as well

Verification certificate –

Click on the edit icon, to view the available keystore instances.

 You see already a keystore instance available for sso1 !!  Don’t think it as the OOTB keystore 😊

When you imported the IdP metadata along with the signing certificate, pega created a new keystore instance and saved the .jks file

In the certificate alias, you will see the details we provided while creating a new certificate!

 You can click and open the keystore instance – sso1IDPCertStore

 Do not touch any of the IdP information, unless needed. Just accept the default 😊

 Step 3: Update the operator identification details.

 Map Operator Id from – we have two options

a) Name ID in the subject – We already specified uid in the NameID format. So I am going with this option selected.
b) Attribute – You can also map other attributes to identify the operator ID (eg.given name, email etc)

Enable operator provisioning using model operator – 

We already seen this option in LDAP tutorial. Here you can create operators on the fly, if the operator record is not available in the pega database.

You can set the operator context in 3 ways

a) Model operator
b) By organization structure
c) Data transform.

I specify by using the option of Model operator – Prem

 Important note: My another hurdle, put it inside double quotes.

Step 4: Verify and update the Service provider details.

 Same like before, all are default updated.

One interesting thing to note is the ACS and logout URLs are Pega rest api under the service package WebSSO.

Certificates – 

Here the service provider can sign the request with certificates.

 So, we will create new certificates for SP, same as we did in previous post using keytool.

Switch to the bin folder of JDK using command line tool and execute the below command

keytool -genkeypair -alias pegaspkey -keyalg RSA -keysize 1024 -validity 730 -storetype JKS -keystore keystore.jks

 After successful creation, you will see a new jks file.

 Now create a new keystore instance in Pega and import the keystore.jks file

Records->Security -> Keystore

 Provide the newly created keystore instance in both the Signing certificate and decryption certificate.

Make sure you provide the right password.

 Advanced configuration settings

 Use access group timeout – This is a security restriction where you can specify the allowed time a session can be in idle/inactive state. Use it only when needed.

Pre-authentication activity – Use the activity to excute the preactivity to be performed before the actual authentication kicks in.

For eg – You can restrict accessing your website from mobile using pre-authentication activity.

Check my previous post on LDAP, where I explained with a tutorial. Also note down an OOTB activity – pySSOPreAuthenticationActivity for reference.

Post-authentication activity – Use the post activity to perform some operations like conditional data mapping from the attributes and also you can restrict access to the operator even though after successful SSO authentication.

Note down the OOTB activity – pySSOPostAuthenticationActivity for reference.

Force authentication – If you need to reauthenticate the expired sessions, then use this checkbox.

For this tutorial, I am leaving all empty!

Mapping tab

You can map the SAML attributes or the properties used in the pre, post authentication activities can be mapped to the Operator rule form.

For mapping SAML attributes, specify the attribute name inside curly braces as shown below.

 Save the rule form.

Step 5: Generate the Service provider metadata.

Move to SAML 2.0 tab and scroll to the service providers block.

 Click on Download SP metadata.

You will see the Rest service response as XML output.

 Save the XML into meaningful name.

We are done with configuring the service provider details in pega.

How to configure the service provider entity in OpenAM?

Step 1: Launch the OpenAM admin studio

http://localhost:8080/openam

Step 2: Click on the Realm (MyKnowPega) ->Create SAML2 Providers -> Register Remote Service Provider

 Step 3: In the configuration page, upload the generated SP metadata XML.

 

Step 4: Update the CoT and Attributes as we did for IdP configurations.

 Once done, click on the federation tab, to verify the IdP and SP details.

 Configuring SP entity is pretty simple right 😊

Now, one last step here. Add the users to this realm.

How to add users in OpenAM?

Step 1: Go to OpenAM homepage and click on Realm (myknowpega)

Step 2: On the left panel, click on the Subjects.

 Step 3: Click ‘New’ to add a new user.

 Step 4: Fill in the details of the new user.

ID=UID;

Note: This operator Loki is not available in my pega system and remember I configured user provisioning option! (creating pega operators on the fly)

 

Step 5: You can go back to the users overview, click and add more details to the operator.

 Once done, save your changes!

Time to test! But before that do a restart to your OpenAM application.

Hint: Use tomcat manager page, to stop start the server.

How to test your SSO authentication?

Step 1: Hit the SSO authentication URL, you configured in the authentication service rule

http://localhost:8080/prweb/PRAuth/sso1

Step 2: Watch the URL header field.

It lands in the OpenAM landing page and prompting for credentials. Expected result because I haven’t logged in yet!

 Step 3: Provide the credentials of the newly created user and watch the header!

First you will get Access right validated message.

 Followed by your assertion URL.

 Step 4: You should be successfully logged in to pega application.

Yes 😀

 

Step 5: Let’s verify the newly created operator record.

 You see it is automatically created. Full name is Premkumar, because that is the model operator attributes

Step 6: And finally verify the telephone number attribute mapping.

 Finally,Loki is back 😊. SSO is over.

Hope you liked these posts and learned something new about SSO.

 

 

  • authentication
Code Vault Curators

A technical team dedicated to empowering the Pega ecosystem with in-depth knowledge, guided by Premkumar Ganesan's vision.

Post navigation

Previous
Next

Pega Courses

Pega courses can be accessed at https://myknowacademy.com

Search through the blog

Tags

activity authentication background-processing case-management data-model declarative-processing email-processing file-processing pega-core-concepts pega-integration process reporting security system-administration user-interface validation

Categories

  • Code Vault

Recent posts

  • Service REST – Usage and Configurations in Pega
  • Queue processor – Usage and Configurations
  • Data Pages Usage & Configurations in Pega
  • Requestor types in Pega
  • Case Locking Mechanism in Pega

Related Articles

Code Vault

Requestor types in Pega

December 11, 2024 Code Vault Curators

In this blog article, we will see about different requestor types in Pega. This article is implemented using Pega Infinity ’24 version. First, let’s start with understanding the term – Requestor. What is a requestor? From the name, we can say that it can be any people or object which requests for a service. From […]

Code Vault

Configure LDAP Authentication Service in Pega

December 10, 2024 Code Vault Curators

In this blog article, we will see how we can authenticate the application user credentials against the attributes stored in the apache directory server. It is mandatory to visit my another blog article of LDAP set up before proceeding in this article. How to configure the LDAP authentication in Pega? Let’s start by choosing the […]

Code Vault

Configure LDAP services – Apache Directory

December 10, 2024 Code Vault Curators

In this blog article, we will see more in detail about directory services and LDAP protocols. We will also set up our own directory service. Let’s start with the directory. What is a directory? Directory is a collection or list of data and they saves the information and provides them when needed. Real time examples […]

Code Vault

Customizing Basic authentication in Pega

December 10, 2024 Code Vault Curators

In the last post, we saw how the default basic authentication works in Pega. In this post, we will see how we can customize and have our own basic authentication. This blog article is implemented using 8.2 version Now the first question is why do we need to customize the basic authentication? 1. When the […]

About

MyKnowTech was born with a mission to bridge the gap between technical expertise and business needs. We are a boutique firm specializing in Pega solutions, delivering them with a personal touch. At the heart of our philosophy is a commitment to putting clients first.

Company
  • About
  • Leadership
  • Career
  • Contact
Resources
  • Blog
  • Services
  • Solutions
  • Insights

©  MyKnowTech B.V. All Rights Reserved.

  • Sitemap
  • Terms & Conditions
  • Privacy Policy