SA-13392

Summary

In Pega 7.1.6, there is a requirement to disable the use of a Signed Certificate during a SAML Authentication.

Error Messages

Error: Unable to process the SAML WebSSO request : Unable to build SAML2 Authentication request : trusted certificate entries are not password-protected

Steps to Reproduce

1. Create an Authentication service and configure it.
2. Get Identity provider metadata and upload.
3. Download Service provider meta data and provide it to the Internet provider.
4. Log in via SSO URL.
 

Root Cause

This issue is due to a defect or configuration issue in the operating environment. A password protected private key entry is required to sign the SAML Authentication request. This is configurable using a KeyStore instance in Signing Certificate field of Authentication Service rule. In this particular scenario, no certificates were used. For such use cases, disable signing on the SAML authentication profile, since Pega does not attempt to sign the request in such cases.

Resolution

Perform the following local-change to resolve the issue.

Disable request signing on SAML authentication profile