An authentication service is a data object that is used to configure several kinds of external authentication, either bypassing or augmenting the standard authentication subroutine.

Authentication services

An authentication service consists of three parts:

• An Authentication service object (DataAdminAuthService) identifies the activities to use instead of the standard processing, and, for LDAP configurations, connection information for the LDAP server
• The Activities and HTML rules provide the processing
• A Servlet definition identifies the name of the authentication service with the AuthService input parameter and sets the AuthenticationType parameter to PRCustom and is located in the web.xml file that 

When a user navigates to the URL specified by the URL pattern of the servlet definition, the system locates the authentication service object identified by the AuthService parameter, writes several parameter/value pairs on a parameter page, and invokes the activity identified in the Authentication Activity field.

Configuring composite application authentication

While there are many ways to configure authentication for a Pega composite application, the
system provides several standard components that you can use to implement the two most
likely ones.

Authentication using custom HTTP headers

Many third-party authentication applications (for example​: Netegrity’s SiteMinder) use custom HTTP headers or cookies to indicate that a user is authenticated.

The standard authentication service named IACAuthentication uses standard activities that show how to extract values from custom HTTP headers in order to identify an authenticated user.

Authentication using an LDAP directory

When LDAP authentication is implemented, a user is authenticated by a company’s LDAP directory when they log into the portal page, the request to the system can contain the user name.

If the user does not yet have an operator ID, the system needs to contact the LDAP directory that authenticated them to retrieve more information. In this case, you can generate an authentication service with the Authentication Accelerator and configure it to use two standard authentication activities provided for Pega Web Mashup (known as Internet Application Composer (IAC) in Pega 7.1.8 and earlier versions) implementations.

Managing Operator IDs and access

No matter which authentication option your application is configured to use, users without Operator IDs have no access rights. Depending on the design of your application and the number of users who interact with it, there are many ways to manage Operator IDs for authenticated users.

For example: Configure the system to generate operator IDs for authenticated users who do not have them yet. In this case, the request from the browser that contains the user credentials must include values for specific user properties. Based on those values, the system can locate a model user to use as a template for the generated operator ID.

Create a small number of operator IDs that are used by groups of users rather than having the system generate an operator ID for each individual user. In this case, you need to determine how you identify individuals if there is a point at which they must be uniquely defined in order to display personalized information. The web page in which the Pega gadget displays can pass data to the gadget to identify individuals with a custom property as needed.

Next steps

Once you are ready to configure authentication for your composite application, see Configuring Pega Web Mashup authentication.