Provisioning an operator by using a data transform

In Pega Platform™ 7.4 through 8.1, SAML and OpenID Connect (OIDC) authentication services can provision an operator by copying values from a predefined model operator. You specify the name of the model operator either directly, by entering its name, or indirectly, by entering an expression or an organizational hierarchy. In addition, you can identify the model operator by using a data page and a data transform, making use of the syntax of the Model operator field in the format <data page name>.<property name>.

The following example describes how to provision an operator by using a data transform.

Create model operators

You first populate the Pega Platform database with model operators where the operator IDs equal the roles that are known to your identity provider. For example, your IdP defines the roles caseworker and manager. Create two operators in your Pega database, one named “caseworker” and one named “manager.”

Create the data transform

Create a data transform named pyGetModelUser that uses the role attribute from the SAML assertion to equal the identifier of the model operator (Primary.pyUserIdentifier), as shown in the following figure. You must create the data transform in a ruleset that is available to the unauthenticated requestor, as described in Authentication services and rule availability.

Thumbnail
Example data transform for provisioning operator

Create the data page

Create a data page named D_pyModelUser, which constructs an instance of Data-Admin-Operator-ID by using the pyGetModelUser data transform, as shown in the following figure. You must create the data page in a ruleset that is available to the unauthenticated requestor, as described in Authentication services and rule availability.

Thumbnail
Example data page for provisioning operator

Create the authentication service

Create a SAML authentication service that provisions an operator by name by using the property D_pyModelUser.pyUserIdentifier for the model operator identifier, as shown in the following figure.

Thumbnail
Example authentication service configured to provision operator from a data page

Test the authentication service

Test the authentication service by logging in to your application as Jane Doe, who is defined by your IdP as a manager, but who is not in the Pega Platform database. Jane Doe's credentials are verified with the SAML IdP, which returns a SAML assertion that specifies Jane’s role to be manager. Values from the model operator that you configured earlier for managers are used to provision a new operator for Jane Doe.

The data transform obtains the SAML assertion from the data page named D_SAMLAssertionDataPage. To view an example of a raw SAML assertion and the same assertion mapped to a clipboard page, download the SAMLAssertionExamples.zip file.

The process when using an OIDC provider such as Google is similar to the SAML example above, but in Pega 8.1, the source of the data page is an activity that has a Java step that is similar to the following example:

 Object map = tools.findPage("D_pzSSOAttributes").getObject("pyAttrList"); try { Map<String,String> claimsMap = (Map<String, String>) map; //Get the value of a key and set the property value. String givenName = claimsMap.get("given_name"); myStepPage.putString("pyUserIdentifier",givenName); } catch (Exception ex) { oLog.error(ex.getMessage()); }

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.