Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Specifying preauthentication and postauthentication activities for an OpenID Connect SSO authentication service

Updated on June 30, 2021

To customize the login process, you can write activities that will be triggered before and after OpenID Connect authentication. For example, a postauthentication activity can update the operator record with values from the service provider or can refuse an automatically provisioned user access to an application.

  1. Create your preauthentication and postauthentication activities. For more information, see the sample activities pySSOPreAuthenticationActivity and pySSOPostAuthenticationActivity. When you write these activities, consider the following:
    • Update the pega Browser requestor type's default access group to equal an access group that includes the ruleset of the preauthentication activity. The preauthentication activity must be accessible to the pega Browser requestor type, which is used for the unauthenticated user session. By default, this requestor type is assigned to the PRPC:Unauthenticated access group.
    • Create the postauthentication activity in a ruleset that is accessible to the user's default access group. The postauthentication activity must be accessible to the user who has just been authenticated.
    • Set the Applies To key part of the activities to Code-Security.
    • Set the authentication result in pyAuthenticationPolicyResult to true to proceed with authentication, or set to false to terminate the request; for example:
       tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "true");
    • You can dynamically update the user’s role list by using a postauthentication activity. This is useful if you want to dynamically add roles to the user context at login without maintaining multiple access groups in the database for all combinations of roles. In the postauthentication activity, update the list of roles by calling setRoles, as shown in the following example.
       tools.getAuthorizationHandle().setRoles(tools, tools.getAuthorizationHandle().UPDATE_APPEND, rolesList);
      Caution: Roles that you set in the postauthentication activity without saving the access group to the database lose their effect if the user switches applications. To dynamically add roles in a way that supports switching applications, see How to dynamically add roles during user authentication.
  2. Open the service from the navigation panel in Dev Studio by clicking RecordsSysAdminAuthentication Service and choosing a service from the instance list.
  3. On the OpenID Connect tab, expand the Advanced configuration settings section.
  4. In the Pre-authentication activity field, enter the name of the preauthentication activity.
  5. In the Post-authentication activity field, enter the name of the postauthentication activity.
  6. Click Save.
  • Previous topic Mapping operator information for an OpenID Connect SSO authentication service
  • Next topic Requiring reauthentication for new and expired sessions for an OpenID Connect SSO authentication service

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us