Published Release Notes

External login with OpenID Connect or SAML protocol for custom mobile apps

Custom mobile apps can now use single sign-on (SSO) with OpenID Connect or SAML to authenticate by using identity providers such as Google, Auth0, Okta, or Azure Active Directory (Azure AD). External login provides a convenient and secure way to access your application. Users' credentials are never shared with the custom mobile app.

For more information, see Configuring a custom mobile app to use external login with OpenID Connect or SAML protocol.

Protect a custom mobile app with a device lock

Custom mobile applications that use an external identity provider (IdP) that is compatible with OpenID Connect or SAML for login are now protected with the device's personal identification number (PIN) or biometric lock. The app user does not have to set up an additional application-specific password and can unlock the app quickly and easily. You can configure the behavior of the locking method and implement custom locking methods by using a custom native module implementation.

For more information, see Protecting your custom mobile app with a device lock.

Mobile apps now use custom-generated skeletons for page transitions

Mobile harnesses are now configured with custom-generated skeletons. Used during page transitions, skeletons render a temporary placeholder UI that closely matches the actual UI while data is being loaded from the data store. The use of skeletons enhances the user experience by providing a smooth transition while data is being loaded.

Skeleton transitions work with both dynamic and Ajax containers on the mobile client but work only with the Ajax container on tablets and desktops.

For more information, see Transition effects on actions.
 

Data entered in a new harness is lost after a sync operation

If you create a case in an offline-enabled application and enter data in a new harness, this data is lost after you click Submit and the sync operation takes place. For more information, see Offline capability and Enabling offline support for cases.

All search data is encrypted

All search data in Pega Cloud deployments is now encrypted, both at rest and in transit. The encryption of search data makes search compliant with regulatory requirements.

For more information about search, see Full-text search.

Known issue: SAML IdP import uses only the last certificate

When you configure the identity provider for a SAML SSO authentication service, the backing keystore rule for the verification certificate is created with only the last certificate from the IdP metadata, instead of using all of the certificates. 

Authentication service for basic credentials

A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.

For more information, see Configuring a basic authentication service.

Unauthenticated sessions transition seamlessly to authenticated

A new authentication service type allows a guest user to use an application without logging in, and to be prompted to authenticate later in the session. This enhancement supports scenarios such as online shopping portals where a user can browse for items and load a shopping cart as a guest but be prompted for credentials at checkout.

For more information, see Configuring an anonymous authentication service.

Create single sign-on authentication services from App Studio

You can create and enable single sign-on (SSO) authentication services from a new landing page in App Studio. From this new landing page you can also configure new SAML and OpenID Connect authentication services to provision users. For more information, see Creating a SAML SSO authentication service and Creating an OIDC SSO authentication service.

Protect against insecure deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.

For more information, see Configuring the deserialization filter.