Skip to main content

Configuring Pega Robot Manager to support OAuth 2.0 with SAML bearer

Suggest edit Updated on October 8, 2021

Allow Pega Robot Manager users to authenticate through OAuth 2.0 with SAML bearer by importing the token-signing certificate from the Security Token Service (STS) and configuring the client registration details in Robot Manager.

The STS is an Internet Information Services web service that serves as a minimal version of Active Directory Federation Services. The STS authenticates Pega Robot Studio and Pega Robot Runtime with Robot Manager by using the domain user credentials of the user’s Windows session.

Before you begin: Export the public certificate from the Pega Robotic Automation Security Token Service. Make a note of the keystore name and description. For more information, see Obtaining the token signing certificate for authenticating Pega Robot Manager users.

Uploading the token-signing certificate to your application

Create a keystore that stores the STS token-signing certificate for verifying the identity of Pega Robot Manager users.

  1. In Dev Studio, click CreateSecurityKeystore.
  2. Provide a keystore name and description, and then click Create and open.
  3. On the Main tab, in the Keystore location field, press the Down Arrow key and select Upload file.
  4. In the Keystore file name section, click Upload file and then upload the .pfx or .jks certificate that you obtained from your Security Token Service provider.
  5. Specify the type of keystore that you uploaded.For example: JKS or PKCS12
  6. Provide the password for the keystore.
    See the following figure for reference:
    Uploading a keystore file to Pega Platform
    Create a Keystore record in Pega Platform to hold your public
                                certificate from the STS service.
  7. Confirm your configuration by clicking Save.

Configuring the identity mapping

Map the truststore for the token-signing certificate and specify the method to use to identify Pega Robot Manager users.

The truststore is the rule that stores the certificate.
  1. In Dev Studio, click RecordsSecurityIdentity Mapping.
  2. In the Instances of Identity Mapping section, click Create.
  3. Provide the details for the new instance of identity mapping:
    1. Specify the identity mapping name.
    2. Provide a meaningful short description.
    3. In the source field, select SAML 2.0 Assertion.For example:
      Creating an identity mapping
      Provide the basic information for your identity mapping
                                        between STS and Robot Runtime
    4. Click Create and open.
  4. Configure the identity mapping details:
    1. In the Truststore field, reference the keystore rule that stores the STS token-signing certificate.
    2. In the Map operator ID from field, select Attribute or Datapage reference.
    3. Set the attribute reference by entering {UPN} in the {attribute name} or D_pageName.propertyName field.
      You can reference other attributes, such as the email address, depending on the Security Token Service payload. Note: Pega Robotic Automation STS only sends the UPN or userName attribute.See the following figure for reference:
      Identity mapping details
      Reference the keystore and define how users are identified
                                        by configuring the Identity Mapping details
  5. Confirm your settings by clicking Save.

Configuring the client registration

Create an OAuth 2.0 client registration to allow Pega Robot Runtime to securely access Pega Robot Manager over HTTPS.

  1. In Dev Studio, click RecordsSecurityOAuth 2.0 Client Registration.
  2. In the Instances of OAuth 2.0 Client Registration section, click Create.
  3. Provide the details for the new instance of OAuth 2.0 Client Registration:
    1. Specify the identity mapping name.
    2. Provide a meaningful short description.
    3. Click Create and open.
  4. Configure the identity mapping details:
    1. Ensure that the Type of client field is set to Confidential.
    2. In the Supported grant types section, select SAML bearer.
    3. In the Identity mapping field for the SAML bearer option, select the mapping between the Security Token Service and Pega Robot Runtime that you just configured.
    4. Clear the check boxes for all other supported grant types.
    For example:
    Creating an OAuth 2.0 client registration
    Create an OAuth 2.0 client registration that references the
                                identity mapping for Pega Robot Manager users
  5. Save the client ID and the client secret:
    1. In the Client credentials section, click View & download.
    2. In the View & download window, click Download credentials.
    3. Save the RoboticsClient_ClientCredentials.txt file in a secure location.
      Note:
      • Although the file contains multiple parameter values, you only need the values of the Client ID and Client Secret.
      • You can retrieve the client secret only once. If you forget the secret, click Regenerate client secret to create a new one. If you change any of the values, Pega Platform re-generates the client secret and places the secret and the existing client ID in a file that you can download.
  6. Confirm your settings by clicking Save.
What to do next: Set up the relying party with the Client Secret and Client ID that you generated in Pega Platform.
    • Previous topic Obtaining the token signing certificate for authenticating Pega Robot Manager users
    • Next topic Adding a relying party
    Did you find this content helpful? YesNo

    Have a question? Get answers now.

    Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

    We'd prefer it if you saw us at our best.

    Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

    Close Deprecation Notice
    Contact us