Best practice for SSO JWT Integration (RS256) between Pega and ServiceNow Engagement Messenger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi everyone,
I am integrating ServiceNow's Engagement Messenger into a Pega application. We need to authenticate users seamlessly via SSO using a JSON Web Token (JWT). Pega is acting as the Identity Provider (IdP) generating the token, and ServiceNow is the Service Provider verifying it. ServiceNow requires the JWT to be signed with the RS256 (RSA) algorithm.
What we have configured so far:
ServiceNow: Configured the OAuth Application Registry (JWT Bearer) and set up the Client ID (aud claim).
Pega: Created an Activity to construct the token with the correct claims (sub for email, aud for SNOW Client ID).
The Roadblock:
I am trying to use Pega's native pxGenerateJWT activity combined with a Token Profile to generate the token. However, to use the RS256 signature algorithm, the Token Profile requires a Keystore that contains an RSA Private Key.
Currently, my Pega instance does not expose a native UI button to "Generate" a Java Keystore (.jks) directly. I only have access to a public JWKS JSON snippet, which lacks the private key material necessary to sign the token.
As a temporary workaround, I wrote a custom Java step in Pega that hardcodes an RSA Private Key to construct and sign the token, and I uploaded the matching public X.509 .cer file to ServiceNow. This works perfectly, but we want to move to a native, secure, and maintainable configuration using Pega's Token Profile and ServiceNow's JWKS URL verification.
My Questions for the Community:
Keystore Generation: Is generating a .jks key pair externally (e.g., using OpenSSL or Java Keytool) and manually uploading it to a Pega Keystore record the standard best practice for this integration?
Pega JWKS Endpoint: If I upload a custom .jks file to a Pega Keystore and link it to my Token Profile, will Pega automatically expose the corresponding public key on its native JWKS endpoint (/prweb/PRRestService/oauth2/v1/token/keys)?
ServiceNow Configuration: When switching ServiceNow from a static X.509 Certificate to Pega's JWKS URL, are there any specific caching or configuration gotchas on the ServiceNow JWT Provider side to ensure it successfully downloads and verifies the public key?
Any guidance, documentation links, or examples from anyone who has successfully integrated Pega with ServiceNow Engagement Messenger using native JWT profiles would be greatly appreciated!
Thanks in advance!
