Creating an authentication service
To override or extend the default authentication process, create an authentication service. By creating an authentication service, you implement more specialized authentication requirements than the default, for example, to use pre-authentication and post-authentication activities.
- In the header of Dev Studio, click .
- In the Authentication Type list, click the authentication
service type.
- Basic credentials – Authentication using a user ID and password, which can be stored in the Pega Platform database or an external source that is accessed by using a data page
- SAML 2.0 – SAML 2.0 web SSO-based authentication
- Custom – LDAP authentication or custom authentication protocol
- Kerberos – Kerberos user credentials
- OpenID Connect – OpenID Connect SSO-based authentication
- Anonymous – Unauthenticated access that uses a model operator
- Token credentials – Useful for offline mobile applications
- Enter a name and short description.
- Click Create and open.
- Configure your authentication service.
- Configuring login authentication with basic credentials
After you create a basic authentication service, configure it so that Pega Platform uses the specified security policies for authenticating users. You can also configure optional features such as preauthentication and postauthentication activities.
- Configuring SSO login authentication with a SAML identity provider
After you create a SAML SSO authentication service, configure it so that Pega Platform uses the specified identity provider for authenticating users. You can map attributes from the identity repository to properties in Pega Platform, and also configure optional features such as preauthentication and postauthentication activities and operator provisioning.
- Configuring SSO login authentication with an OpenID Connect identity provider
After you create an OpenID Connect SSO authentication service, configure it so that Pega Platform uses the specified identity provider for authenticating users. You can map claims from the OpenID Connect provider to properties in Pega Platform, and configure optional features such as preauthentication and postauthentication activities and operator provisioning.
- Configuring login authentication for an anonymous operator
After you create an anonymous authentication service, configure it so that Pega Platform can support guest users. You can map attributes from the model operator to properties in Pega Platform, and also configure preauthentication and postauthentication activities.
- Configuring custom or Kerberos login authentication
After you create a custom or Kerberos authentication service, configure it so that Pega Platform can connect to the repository and find the operator credentials. You can map attributes from the repository to properties in Pega Platform, and can also configure optional features such as authentication and time-out activities.
- Testing login authentication services
You can test and debug an authentication service in a development or staging environment by setting the appropriate log level.
- Transport Layer Security (TLS) best practices
Select the proper TLS version when initiating outbound connections from Pega Platform to external servers and systems, for instance, when configuring authentication services, authentication profiles, and connectors.
- Configuring login policies such as multi-factor authentication, CAPTCHA, and attestation
You can make user authentication more secure by defining login policies for password requirements, multi-factor authentication, lockout policies, and other similar restrictions.
- Attestation
Depending on the security requirements for your application, you may need to use attestation to do business.
- Configuring a token credentials authentication service
After you create a token credentials authentication service, configure it so that Pega Platform uses the specified token provider for authenticating users. Select this type of service for offline mobile applications. You can map claims from the token to properties in Pega Platform, and configure optional features such as preauthentication and postauthentication activities.
Previous topic Mapping authentication services in Dev Studio Next topic Configuring login authentication with basic credentials