Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Parthipan Anandhan (PARTHIPAN)
HCL

HCL
NL
PARTHIPAN Member since 2012 3 posts
HCL
Posted: Aug 15, 2019
Last activity: Aug 15, 2019
Posted: 15 Aug 2019 5:55 EDT
Last activity: 15 Aug 2019 13:19 EDT
Closed

Signing certificate & Decryption certificate for MFA AuthService - SAML 2.0 (PRPC 8.2.1)

We have implemented MFA & SSO using AuthService of SAML 2.0 type which works well when checkbox "Disable request signing" is selected (i.e works with out certificate).

I tried with cert but getting the error "Unable to process the SAML WebSSO request : Unable to build SAML2 Logout Response Redirect URL : Key does not exist, Keystore Entry is not either PrivateKeyEntry or SecretKeyEntry".

The key store types are supports in Pega 8.2.1 are JKS, JWK, PKCS12, KEYTAB, KEY.

We are looking for following clarifications

# 1 - Would like to know if it (MFA AuthService - SAML 2.0) works for any of you with certificate. If so, please let us know the Key Store type used by you such as JKS or KEYTAB.

# 2 - Is above specified key store file must need to have private key of certificate inside

# 3 - Have you certificate type of CSR or Non CSR

FYI - SSL offload happnes for us at GTM / LTM level

Thanks in advance for support.

***Edited by Moderator Marissa to update platform capability tags****

To see attachments, please log in.
Low-Code App Development

Posted: 6 years ago
Posted: 15 Aug 2019 8:03 EDT
Kevin Zheng (KevinZheng_GCS)
PEGA
Director, Technical Support, Integration
Pegasystems Inc.
US

#1: JKS

#2: Yes. My personal favorite is http://keystore-explorer.org/downloads.html (free) so you do not have to be familiar with keytool commands - you essentially create keystore of jks type, and generate keypair (with private key). Once jks file is saved, load it to Pega. that should be it. In your case, both signing certificate and decryption certificate are Pega specific and you have total control.

#3: Not following here, btw, SSL is at lower level should not be relevant here.

To see attachments, please log in.
Posted: 6 years ago
Posted: 15 Aug 2019 10:54 EDT
Parthipan Anandhan (PARTHIPAN)
HCL

HCL
NL

Thanks for your response KevinZheng_GCS

Please let me know if private key is mandatory (to give as input) for point # 2 to generate JKS file.

The plan is to use the JKS file in key store rule of Pega and that key store rules will be used in AuthService for both signing certificate and decryption certificate.

Another topic, Azure MFA team asked us to share the certificate file to put in their server. They need cert only with public key.

Shall I send the same JKS file (which is used in Key Store rule of Pega) with them as well to put in their server.

 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice