Configuring a basic authentication service
After you create a basic authentication service, configure it so that Pega Platform uses the specified security policies for authenticating users. You can also configure optional features such as preauthentication and postauthentication activities.
The default means of authentication for Pega Platform is a basic authentication service that is named Platform Authentication. All basic authentication services include support for mobile OAuth 2.0 authentication with proof key for code exchange (PKCE).
Create a basic authentication service, or open an existing service from the navigation panel in Dev Studio by clickingand selecting a basic credentials authentication service from the instance list.
In the Authentication service alias field, specify an alias to represent a unique value for this service. This value becomes the final part of the URL path for users to access Pega Platform.
Login URL is a read-only field that displays the URL that accesses Pega Platform and uses this service for user authentication.
In the Provider logo field, specify an image to display on the login screen that identifies this provider.
To authenticate new sessions against an external data source instead of the Pega Platform database, select the Verify credentials using external identity store check box and enter a name for Data page for credentials verification. For example, to verify the identities of external customers, follow these steps:
Create a requestor-scope read-only data page, with object type equal to Data-Admin-Operator-ID. Save the data page to the unauthenticated ruleset.
Create a data transform with an applies to class equal to Data-Admin-Operator-ID and having input parameters for user name and password. Validate the user name and password against the external data source. In the data transform, when the input parameters are valid, set .pyApproveStatus to true. Save the data transform to the unauthenticated ruleset.
On the data page, set the data source equal to the data transform that you just created.
On the authentication service, set Data page for credentials verification equal to the name of the data page you just created.
At run time, if the operator authenticates against a data page and the operator does not exist in the Pega database, the operator must be provisioned (added to the Pega database). For information about operator provisioning, see Configuring operator provisioning for a basic authentication service.
In the Map Operator Id field, provide an expression for deriving the operator ID from the user name that is entered at the time of authentication. To use the Expression Builder, click the Build an expression icon.
For example, a user could log in with an email address such as User123@Something.YourCo.com, but the operator ID is User123. Use the Expression Builder to use all of the characters before the "@" sign.
Configure the optional parameters of the service.
- Mapping operator information for a basic authentication service.
- Specifying preauthentication and postauthentication activities for a basic authentication service.
- Requiring reauthentication for new and expired sessions for a basic authentication service.
- Configuring operator provisioning for a basic authentication service.
- Enforcing policies from the Security Policies landing page.
- Authentication services
To override or extend the default authentication process, create and configure an authentication service.
- Authentication services and rule availability
Authentication services are data instances that are available to all requestors. Authentication services can use rules such as preauthentication activities, data pages, and data transforms that need to be available to the requestor at various times during the authentication process. You make these rules available by defining them in the appropriate rulesets.