Configuring a token credentials authentication service
After you create a token credentials authentication service, configure it so that Pega Platform uses the specified token provider for authenticating users. Select this type of service for offline mobile applications. You can map claims from the token to properties in Pega Platform, and configure optional features such as preauthentication and postauthentication activities.
Note the following best practices when you configure and deploy a token credentials authentication service.
- Derive the operator ID directly from the token that is acquired from the identity provider. Avoid using excessively complex logic for deriving the operator ID.
- To lessen the possibility of phishing attacks, do not update sensitive operator information such as mobile phone number or email address in the preauthentication and postauthentication activities.
- Do not initiate operator provisioning in the postauthentication activity.
- Deploy the authentication service over a secure channel (HTTPS enabled).
To configure a token credentials authentication service, do the following steps.
Create a token credentials authentication service, or open an existing service from the navigation panel in Dev Studio by clickingand choosing a token credentials authentication service from the instance list.
In the Authentication service alias field, specify an alias to represent a unique value for this service. This value becomes the final part of the URL path for users to access Pega Platform.
- Login URL is a read-only field that displays the URL that accesses Pega Platform and uses this service for user authentication.
In the Provider logo field, specify an image that represents the identity provider.
Select the token provider.
- Pega Platform – The authentication token is issued by the Pega Platform OAuth 2.0 authorization layer.
- External identity provider – When you select External identity provider, the Identity mapping field is displayed, where you enter the key to an identity mapping instance. Some identity mappings are linked to an appropriate token profile; for example, for a JSON Web Token (JWT), the identity mapping instance is linked to the processing token profile.
Configure the optional parameters of the service.
- Authentication services
To override or extend the default authentication process, create and configure an authentication service.
- More about authentication services
This page describes additional topics relevant to authentication services that are not directly referenced on the rule form.
- Identity mapping
The Identity Mapping rule form allows you to specify how to identify an operator from a SAML 2.0 Assertion, JSON Web Token, or custom source.
- Creating a processing JSON Web Token profile
Create a processing JSON Web Token (JWT) profile to specify how Pega Platform validates and decrypts each JSON Web Token it receives.