Posted: 9 Jun 2016 12:40 EDT Last activity: 9 Jun 2016 15:27 EDT
SAML SSO : Retreive Keystore Password at Runtime
We are working on implementing SAML based SSO in PEGA 7.1.8 version and the problem we are facing is that we want to retrieve the Keystore password at run-time (by passing the encrypted string) instead of storing the Keystore password directly in the PEGA Database. PEGA OOB doesn't support this and we have raised SR as well and seems like this feature may not be available in near future. The problem with storing Keystore password directly in PEGA DB is that it may change and also security concerns as the same Keystore is used by many PEGA & Non-PEGA applications.
I am planning to override/customize Keystore related activities defined in Data-Admin-Security-SSO-SAML class to retrieve the KeyStore password using Java code and PEGA Keystore rule contains the encrypted string instead of actual password.
Please let me know if you have any suggestions or alternative solutions?
In 7.1.7 and 7.1.8, when we enter the Signing and Decryption passwords in the authentication rule form PEGA is storing them in Plain Text and we can see the entered passwords using the "View XML" of the authentication rule form. We have raised a SR for this and we got the Hotfix. I think in 7.2 this is fixed Natively and passwords are not visible using View XML.
The issue i am talking about is that our organization doesn't allow us to Store the KeyStore passwords in PEGA DB at all and instead we need to retrieve the Keystore password stored at the container level. We need some extension point to call our Java code, which gets the Keystore password at run time.
After debugging i found that, PEGA is creating the authentication request in com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils and com.pega.pegarules.integration.engine.internal.sso.saml.SAMLPostBindingHandler internal classes and I don't think we can do any customization for this.