Federated Authentication

Seamless user security through centralized authentication

Federated authentication enables users to access Pega sites and applications using their organization's identity provider (IdP).

Enabling your users to authenticate via your organization’s IdP ensures only authorized users can access Pega sites and applications such as Pega GenAI Blueprint™, Pega Support Portal (MSP), and Pega Diagnostic Center (PDC).

What it is

Federated authentication is a method of user identity verification that enables users to access multiple platforms or services across different domains using a single set of credentials. It builds on the principles of Single Sign-On (SSO) by extending trust across organizational boundaries.

With federated authentication, user authentication is managed centrally through your organization's identity provider (IdP). Users authenticate once through your organization's IdP and gain access to Pega sites and applications without having to use a separate set of credentials.

Federated authentication is beneficial in ecosystems like Pega where users interact with different applications such as Pega GenAI Blueprint™, My Support Portal (MSP), Pega Diagnostic Cloud (PDC), and Pega Deployment Manager. Federated authentication ensures that only authorized users—validated by their organization’s IdP—can access these services, enhancing both security and the user experience.

How it works

The federated authentication process involves three key components: the users, the identity provider (Client IdP), and the service provider (Pega). Client organizations can use federated authentication with Pega by selecting one or more users, or email domains for which they want to enable federated authentication.

diagram of federated authentication workflow

When a user attempts to access a Pega site or service, they are guided through the federated authentication workflow.

If your organization is using federated authentication, the user is redirected to your IdP for authentication. Your IdP verifies the user's credentials and generates a secure token (e.g., SAML assertion or OIDC ID token). The token is sent back to Pega, which validates the token and grants access based on the user's access policies as defined in Pega.

Benefits of federated authentication

Streamlined user access

Federated authentication simplifies the login process by reducing the number of usernames and passwords your users have to remember.

With federated authentication, users can access Pega applications and services such as Pega GenAI Blueprint™, MSP, PDC, Pega Academy, and Community using their organization's credentials. This eliminates the need for users to remember additional usernames and passwords specific to a Pega account.

This can save time and reduce frustration, especially for users who have to acess multiple applications across different domains, and can even help boost prodctivity by reducing friction in their daily workflow.

Improved security

In non-federated systems, users must log into external systems using a separate set of credentials. Each such login creates a point of vulnerability, which can increase the risk of hacking attempts by unauthorized users.

Federated authentication can help decrease the risk of hacking attempts by unauthorized users because it provides a single source of truth for user authentication.

Instead of using multiple authentication services across different organizational domains and systems, users login to Pega through their organization's IdP. This helps reinforce the use of stronger password policies and consistent MFA (multi-factor authentication).

By reducing the number of login points, federated authentication can help decrease the risk of hacking attempts and can enhance your organization's overall security posture.

Protected IP

We understand your processes aren't just diagrams and workflows — they're your competitive advantage.

With federated authentication, you maintain complete control over who can access your intellectual property (IP), including access to your environments, software downloads, support and incident cases, and your Pega GenAI Blueprints™.

If a user leaves your ogranization, and you deactivate their account in your IdP, they willl no longer be able to access any Pega site using those credentials.

Improved compliance

Federated authentication provides a clear picture of user activity, making audits simpler and helping organizations prove compliance with applicable regulations.

This can help make audits much simpler while also helping prove compliance, because all user activity is tracked in one place — your IdP.

Decorative background with brick pattern

Ready to get started with federated authentication?

Contact your organization's Pega Support Administrator who can submit a support request to get you started with federated authentication.

If you are the Support Administrator for your organization, log in to MSP to submit a support request for federated authentication.

Frequently Asked Questions

General Questions

Access to all pega.com sites such as academy.pega.com, community.pega.com. docs.pega.com, and msp.pega.com will be controlled by your IdP after implementing federated authentication.

Yes. You can restrict federated authentication to a subset of users.

However, we recommend using a subset of users for testing purposes only. It is best to use one or more email domains for federated authentication in a production environment.

We will disable federated authentication for your organization so your users can continue to log in to Pega sites using their Pega credentials.

Yes.

If an enterprise has federated their SSO with Pega digital properties (e.g. Blueprint), only users with active access to their SSO will be able to log into Blueprint.

If a user changes the domain registered with their Pega account profile – for example switches organizations – the Blueprints they created with their old Pega account (email domain) will no longer be visible or accessible.

Access to those Blueprints can be restored for other users within the organization upon request.

Technical Implementation Questions

Pega supports the SAML 2.0 and Open ID authentication protocols.

We can help setup federated authentication with any IdP vendor that supports the SAML 2.0 and Open ID authentication protocols.

SCIM (System for Cross-domain Identity Management) integration is not supported.

Pega Support Administrators will continue to manage user access policies (roles) in My Pega > Manage Users.

It is not possible to manage user authorization (access roles) in your IdP.

Pega Support Administrators will continue to manage user access roles in My Pega > Manage Users.