Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Rima Dutta (RIMADUTTA)
Accenture India Pvt. Ltd.

Accenture India Pvt. Ltd.
IN
RIMADUTTA Member since 2012 5 posts
Accenture India Pvt. Ltd.
Posted: Feb 19, 2018
Last activity: Apr 27, 2018
Posted: 19 Feb 2018 9:30 EST
Last activity: 27 Apr 2018 6:02 EDT
Closed
Solved

Can somebody please elaborate the steps of how to use Pega SSO credentials to a REST call within Pega?

In our application we have implemented SSO using kerberos . We have a requirement to call a REST service which uses the same windows credentials .When we call the service from browser ,it gives correct response .But when we call the same REST service from Pega , it gives me an error saying "Your browser is not configured for using SPNego.Press F5 (Page Refresh) to continue."

The requirement here is we should be using the same credentials which is stored in browser cookies . Please note , we are using Pega 7.2.2 version .

***Updated by moderator: Lochan to move post from Pega Academy to PSC***

***Edited by Moderator Marissa to update SR Details***

To see attachments, please log in.
Security
System Administration
Support Case Created

Accepted Solution

Posted: 6 years ago
Posted: 27 Apr 2018 6:02 EDT
Lochana Durgada Vijayakumar (Lochan_DV)
PEGA
Senior Manager, Knowledge Management
Pegasystems Inc.
IN

Hello!

SR-C23658 has been closed with this suggestion - the service has to be modified to accept OAuth authorization, which needed for principal propagation.

Hope this helps other community members who have the same question.

Regards,

To see attachments, please log in.
Posted: 6 years ago
Posted: 20 Feb 2018 1:39 EST
Rima Dutta (RIMADUTTA)
Accenture India Pvt. Ltd.

Accenture India Pvt. Ltd.
IN

hi Narasimha ,

This PDN article talks about how to implement SSO to login to Pega and how to extract kerberos credentials . But doesn't elaborate on how to use those kerberos credentials(GSSCredential) in Connect-REST  rule

 

Thanks,

Rima

To see attachments, please log in.
Posted: 6 years ago
Posted: 20 Feb 2018 2:06 EST
Rima Dutta (RIMADUTTA)
Accenture India Pvt. Ltd.

Accenture India Pvt. Ltd.
IN

hi Sudhakar ,

I 'm able to call the REST from my browser or from POSTMAN web app . But not sure what authentication profile I should be using in the Connect-REST rule .

The credentials are stored in my browser cookies . 

Thanks,

Rima

 

To see attachments, please log in.
Posted: 6 years ago
Posted: 19 Mar 2018 1:21 EDT
Rima Dutta (RIMADUTTA)
Accenture India Pvt. Ltd.

Accenture India Pvt. Ltd.
IN

hi Sudhakar,

I have tried this approach . that is , creating an authentication profile with my SSO login ID/pwd and using that in the connect REST rule .But that gives me an authentication error .

 

Thanks,

Rima

 

To see attachments, please log in.
Posted: 6 years ago
Posted: 23 Mar 2018 5:37 EDT
Siva Venkata Appa Rao Rapeti (sivar1)
PEGA
Senior Principal Software Engineer, Platform Engineering, Security
Pegasystems Inc.
IN
 Hi Rim,
 
The attached document has the all required steps to configure Kerberos. 
 
If you configure PRPC Kerberos settings properly and login with Kerberos  SSO URL "http://SERVERHOSTNAME:8080/prweb/PRWebKerberos1", kerberos gss credentials will be stored in pxRequestor
 
you have to write below java code in an activity to invoke REST end point.
 
1. First you need to get gss credentials from pxRequestor
 
//GSSCredentials stored in pxRequestor.pxSessionContext.pxUserPrincipalObject
ClipboardPage cp = tools.findPage("pxRequestor", true);
 
org.ietf.jgss.GSSCredential gsscredential = null
 
if(Class.forName("net.sourceforge.spnego.SpnegoPrincipal").isAssignableFrom(cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass())){
   java.lang.reflect.Method m = cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass().getMethod("getDelegatedCredential", null);
  gsscredential = (org.ietf.jgss.GSSCredential)m.invoke(cp.getObject(".pxSessionContext.pxUserPrincipalObject"), null);
}
 
 
2. There are two ways to invoke rest end
Show More
 Hi Rim,
 
The attached document has the all required steps to configure Kerberos. 
 
If you configure PRPC Kerberos settings properly and login with Kerberos  SSO URL "http://SERVERHOSTNAME:8080/prweb/PRWebKerberos1", kerberos gss credentials will be stored in pxRequestor
 
you have to write below java code in an activity to invoke REST end point.
 
1. First you need to get gss credentials from pxRequestor
 
//GSSCredentials stored in pxRequestor.pxSessionContext.pxUserPrincipalObject
ClipboardPage cp = tools.findPage("pxRequestor", true);
 
org.ietf.jgss.GSSCredential gsscredential = null
 
if(Class.forName("net.sourceforge.spnego.SpnegoPrincipal").isAssignableFrom(cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass())){
   java.lang.reflect.Method m = cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass().getMethod("getDelegatedCredential", null);
  gsscredential = (org.ietf.jgss.GSSCredential)m.invoke(cp.getObject(".pxSessionContext.pxUserPrincipalObject"), null);
}
 
 
2. There are two ways to invoke rest end point 
 
1. By using SPNEGO connector
SpnegoHttpURLConnection spnego = new SpnegoHttpURLConnection(gsscredential);
spnego.connect(new URL("http://VITLAB-ENG-W72:8181/hello_spnego.jsp")); // this is the target REST url
out.print("<br />HTTP Status Code: " + spnego.getResponseCode());
 
2. By using standard HTTPClient
CredentialsProvider cp = new BasicCredentialsProvider();
cp.setCredentials(new AuthScope(host, -1, null), new KerberosCredentials(gssCredential));
clientBuilder.setDefaultCredentialsProvider(cp);
HttpClient client = clientBuilder.build();
HttpGet  method = new HttpGet();
method.setHeader("Accept", accept);
method.setURI(new URIBuilder(url).setCustomQuery(queryString).build());
response = client.execute(method);
 
Thanks,
Siva

Show Less
To see attachments, please log in.
Posted: 6 years ago
Posted: 23 Mar 2018 5:52 EDT
Siva Venkata Appa Rao Rapeti (sivar1)
PEGA
Senior Principal Software Engineer, Platform Engineering, Security
Pegasystems Inc.
IN

Kerberos setup is complex so you first use your test environment to setup the Kerberos environment.  Next you can enable Kerberos SSO for production environment. 

 

 

To see attachments, please log in.
Posted: 6 years ago
Posted: 9 Apr 2018 6:45 EDT
Rima Dutta (RIMADUTTA)
Accenture India Pvt. Ltd.

Accenture India Pvt. Ltd.
IN

Thanks all . We have set up kerberos SSO .My question was rather how to use or pass on the SSO credentials to a REST call . 

We have created a Pega service ticket for the same .

 

Thanks,

Rima

 

To see attachments, please log in.
Posted: 6 years ago
Posted: 9 Apr 2018 8:06 EDT
Lochana Durgada Vijayakumar (Lochan_DV)
PEGA
Senior Manager, Knowledge Management
Pegasystems Inc.
IN

Hi Rima,

Please let us know the SR# so that we could track it through this post and update once the resolution is achieved.

Regards,

To see attachments, please log in.

Accepted Solution

Posted: 6 years ago
Posted: 27 Apr 2018 6:02 EDT
Lochana Durgada Vijayakumar (Lochan_DV)
PEGA
Senior Manager, Knowledge Management
Pegasystems Inc.
IN

Hello!

SR-C23658 has been closed with this suggestion - the service has to be modified to accept OAuth authorization, which needed for principal propagation.

Hope this helps other community members who have the same question.

Regards,

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice