Authentication services and security policies
To improve security in authentication services that support security policies, you select which policies to enable by using the Security policies tab of the authentication service. You define the details of each policy, such as the minimum password length and the duration of a one-time password, on the Security Policies landing page.
All authentication services use the PRAuth servlet. However, for backward compatibility with earlier versions of Pega Platform, it is possible to authenticate by using PRServlet instead of PRAuth (in other words, the login URL includes
/prweb/PRServlet). When PRServlet is used, security policies are enabled by using various controls on the Security Policies landing page.
For more information on URL patterns and servlet names, see Application URL patterns for various authentication service types.
For authentication services, enablement of security policies occurs as described below:
- You enable specific policies from the Security policies tab for each authentication service, except for some that are always on, as noted below.
- The Enable frequently required policies check box on the Security Policies landing page has no effect.
- The Enable CAPTCHA Reverse Turing test module setting on the Security Policies landing page has no effect.
- The Audit policy on the Security Policies landing page is always in effect, as are the security alerts that are configured on the Security Event Configuration landing page.
- The Operator disablement policy on the Security Policies landing page is always in effect.
- The User consent policy is enabled and disabled by using the Security policies tab of the authentication service, but it does not appear on the Security Policies landing page.
- Authentication services
To override or extend the default authentication process, create and configure an authentication service.
- Defining security policies
To define security policies for user authentication and session management, use the Security Policies tab.
- Selecting a security event to monitor
To monitor and analyze security events, use the Security Event Configuration feature. You can select individual events to be automatically captured in logs for every user session.