Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Creating an authentication service

Updated on March 15, 2022

To override or extend the default authentication process, create an authentication service. By creating an authentication service, you implement more specialized authentication requirements than the default, for example, to use pre-authentication and post-authentication activities.

Before you begin: To create an authentication service, you must have the pzCanCreateAuthService privilege, which is included in the PegaRULES:SecurityAdministrator role.
By default, your system includes a basic authentication service named Platform Authentication. You can save this service with a new name and change it, and you can create any type of authentication service, including the basic type of authentication service.
Note: As a best practice, ensure that authentication services do not share the same alias. Rename any duplicate authentication service aliases before upgrading to Pega 8.6 or later.
  1. In the header of Dev Studio, click ConfigureOrg & SecurityAuthenticationCreate Authentication Service.
  2. In the Authentication Type list, click the authentication service type.
    • Basic credentials – Authentication using a user ID and password, which can be stored in the Pega Platform database or an external source that is accessed by using a data page
    • SAML 2.0 – SAML 2.0 web SSO-based authentication
    • Custom – LDAP authentication or custom authentication protocol
    • Kerberos – Kerberos user credentials
    • OpenID Connect – OpenID Connect SSO-based authentication
    • Anonymous – Unauthenticated access that uses a model operator
    • Token credentials – Useful for offline mobile applications
  3. Enter a name and short description.
  4. Click Create and open.
  5. Configure your authentication service.
  • Configuring login authentication with basic credentials

    After you create a basic authentication service, configure it so that Pega Platform uses the specified security policies for authenticating users. You can also configure optional features such as preauthentication and postauthentication activities.

  • Configuring SSO login authentication with a SAML identity provider

    After you create a SAML SSO authentication service, configure it so that Pega Platform uses the specified identity provider for authenticating users. You can map attributes from the identity repository to properties in Pega Platform, and also configure optional features such as preauthentication and postauthentication activities and operator provisioning.

  • Configuring SSO login authentication with an OpenID Connect identity provider

    After you create an OpenID Connect SSO authentication service, configure it so that Pega Platform uses the specified identity provider for authenticating users. You can map claims from the OpenID Connect provider to properties in Pega Platform, and configure optional features such as preauthentication and postauthentication activities and operator provisioning.

  • Configuring login authentication for an anonymous operator

    After you create an anonymous authentication service, configure it so that Pega Platform can support guest users. You can map attributes from the model operator to properties in Pega Platform, and also configure preauthentication and postauthentication activities.

  • Configuring custom or Kerberos login authentication

    After you create a custom or Kerberos authentication service, configure it so that Pega Platform can connect to the repository and find the operator credentials. You can map attributes from the repository to properties in Pega Platform, and can also configure optional features such as authentication and time-out activities.

  • Testing login authentication services

    You can test and debug an authentication service in a development or staging environment by setting the appropriate log level.

  • Transport Layer Security (TLS) best practices

    Select the proper TLS version when initiating outbound connections from Pega Platform to external servers and systems, for instance, when configuring authentication services, authentication profiles, and connectors.

  • Configuring login policies such as multi-factor authentication, CAPTCHA, and attestation

    You can make user authentication more secure by defining login policies for password requirements, multi-factor authentication, lockout policies, and other similar restrictions.

  • Attestation

    Depending on the security requirements for your application, you may need to use attestation to do business.

  • Configuring a token credentials authentication service

    After you create a token credentials authentication service, configure it so that Pega Platform uses the specified token provider for authenticating users. Select this type of service for offline mobile applications. You can map claims from the token to properties in Pega Platform, and configure optional features such as preauthentication and postauthentication activities.

  • Previous topic Mapping authentication services in Dev Studio
  • Next topic Configuring login authentication with basic credentials

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us