Provisioning an operator by using a data transform
In Pega Platform™ 7.4 through 8.1, SAML and OpenID Connect (OIDC) authentication services can provision an operator by copying values from a predefined model operator. You specify the name of the model operator either directly, by entering its name, or indirectly, by entering an expression or an organizational hierarchy. In addition, you can identify the model operator by using a data page and a data transform, making use of the syntax of the Model operator field in the format <data page name>.<property name>.
The following example describes how to provision an operator by using a data transform.
Create model operators
You first populate the Pega Platform database with model operators where the operator IDs equal the roles that are known to your identity provider. For example, your IdP defines the roles caseworker and manager. Create two operators in your Pega database, one named “caseworker” and one named “manager.”
Create the data transform
Create a data transform named pyGetModelUser that uses the role attribute from the SAML assertion to equal the identifier of the model operator (Primary.pyUserIdentifier), as shown in the following figure. You must create the data transform in a ruleset that is available to the unauthenticated requestor, as described in Authentication services and rule availability.
Create the data page
Create a data page named D_pyModelUser, which constructs an instance of Data-Admin-Operator-ID by using the pyGetModelUser data transform, as shown in the following figure. You must create the data page in a ruleset that is available to the unauthenticated requestor, as described in Authentication services and rule availability.
Create the authentication service
Create a SAML authentication service that provisions an operator by name by using the property D_pyModelUser.pyUserIdentifier for the model operator identifier, as shown in the following figure.
Test the authentication service
Test the authentication service by logging in to your application as Jane Doe, who is defined by your IdP as a manager, but who is not in the Pega Platform database. Jane Doe's credentials are verified with the SAML IdP, which returns a SAML assertion that specifies Jane’s role to be manager. Values from the model operator that you configured earlier for managers are used to provision a new operator for Jane Doe.
The data transform obtains the SAML assertion from the data page named D_SAMLAssertionDataPage. To view an example of a raw SAML assertion and the same assertion mapped to a clipboard page, download the SAMLAssertionExamples.zip file.
The process when using an OIDC provider such as Google is similar to the SAML example above, but in Pega 8.1, the source of the data page is an activity that has a Java step that is similar to the following example:
Object map = tools.findPage("D_pzSSOAttributes").getObject("pyAttrList");
try {
Map<String,String> claimsMap = (Map<String, String>) map;
//Get the value of a key and set the property value.
String givenName = claimsMap.get("given_name");
myStepPage.putString("pyUserIdentifier",givenName);
} catch (Exception ex) {
oLog.error(ex.getMessage());
}