Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Designing and configuring single sign-on login for system Operators

Updated on April 12, 2021

By configuring single sign-on access to your Pega Marketing application, your users can sign in using their existing company username and password. This option is available for regular operators (that is, marketing analysts, managers, and so on), as well as for operators linked to automatic system processes.

This article describes the process for configuring access for your system processes.

Task IDTask-040202
Primary roleSenior System Architect
Secondary roleLead System Architect
Tertiary roleN/A

Understanding single sign-on

With single sign-on, you configure Pega to authenticate with your company’s existing authentication infrastructure. This means that your service infrastructure can use existing accounts to access the Pega system

You configure Access Groups in Pega to grant roles and privileges to types of account.

Depending on your company’s authentication infrastructure, you use model operator records to design the access that each kind of account gets granted when they first sign in. This has the effect of creating a Pega Operator record for the system which has authenticated, by copying a template Operator and personalising it based on the information (claims) that the authentication service has provided about that account.

You choose an authentication service that matches the identity provider that your existing IT infrastructure provides. Examples of services are SAML, OpenID, Kerberos, and LDAP.

The approach you take to single sign-on is usually decided between the Lead System Architect, the Lead Business Architect, and your IT team. It is usually then implemented by a Senior System Architect as part of implementing a security-related user story.

Configuring single sign-on

The process to configure single sign-on for your system accounts is the same as configuring it for your human users, and is covered in article 1004005.


Once the authentication services are configured, all of the system accounts which should be able to access Pega will be able to do so using their existing credentials, and they will have access to the parts of the application that they should, and will not have access to those parts that they should not.

Frequently asked questions about your single sign-on configuration

  • Previous topic Designing and configure single sign-on login for Pega Marketing Operators
  • Next topic Design and implement application settings


Senior System Architect

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us