Support Article
Unable to build SAML2 Authentication request
SA-13392
Summary
In Pega 7.1.6, there is a requirement to disable the use of a Signed Certificate during a SAML Authentication.
Error Messages
Error: Unable to process the SAML WebSSO request : Unable to build SAML2 Authentication request : trusted certificate entries are not password-protected
Steps to Reproduce
1. Create an Authentication service and configure it.
2. Get Identity provider metadata and upload.
3. Download Service provider meta data and provide it to the Internet provider.
4. Log in via SSO URL.
Root Cause
This issue is due to a defect or configuration issue in the operating environment. A password protected private key entry is required to sign the SAML Authentication request. This is configurable using a KeyStore instance in Signing Certificate field of Authentication Service rule. In this particular scenario, no certificates were used. For such use cases, disable signing on the SAML authentication profile, since Pega does not attempt to sign the request in such cases.
Resolution
Perform the following local-change to resolve the issue.
Disable request signing on SAML authentication profile
Published August 28, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.