Apply authentication methods to ensure that only users and systems with a verified identity can access your applications, web pages, APIs, and data. Authentication in Pega Platform includes user logins, platform requests to external. services, and external service requests to Pega Platform You can also authenticate by using an external identity provider.
In a browser, a user logs in to a Pega Platform application, or a developer logs in to Dev Studio to make changes to an application. Authentication services verify these user credentials.
For more information, see Authentication services.
The following table lists the protocols for user logins that Pega Platform supports.
|SAML 2.0||An external identity provider that supports the SAML 2.0 protocol, such as Microsoft Active Directory |
For more information, see Web single sign-on (SSO) with SAML 2.0.
|OpenID Connect||An external identity provider that supports the OpenID Connect (OIDC) protocol|
|Basic credentials||A user ID and password that are stored in the Pega Platform database or in another internal or external data source|
|Token credentials||A token that is validated by an external identity provider or by the OAuth 2.0 authorization layer in Pega Platform (often used in offline mobile applications)|
|Anonymous||No verification until partway through a session |
For example, an unauthenticated user can add items to a shopping cart, and enter credentials when they check out.
You can configure a custom authentication service to use information that is stored within the identity provider to determine the user roles and privileges in Pega Platform.
Make your application more secure by using simple selections in the authentication service rule form to implement policies such as multi-factor authentication. For example, each time a user logs in, the application can send an authentication code to the user by email. To log in, the user enters that code in addition to a password.
You can use authentication services (including SAML 2.0, OpenID Connect, or token credentials) to implement single sign-on (SSO) solutions. SSO solutions limit repetitive requests for credentials when users access a variety of systems or applications.
For complete control over the login process, you can define custom authentication services.
Pega Platform connectors Requests to external services from Pega Platform connectors
To invoke an external REST service to get information from an external system or application, a Pega Platform application must authenticate to that service. This type of authentication uses an authentication profile and OAuth provider data instances. The supported forms of authentication include basic credentials, NT LAN Manager credentials (NTLM), OAuth 1.0, and OAuth 2.0.
For more information, see:
- Authentication profiles
- Setting up an OAuth 2.0 provider
External requests for execution to Pega Platform services
An external system or application can invoke a REST service that is defined in Pega Platform or within a Pega Platform application to get case information. This type of authentication uses a service type and service package instances. Supported forms of authentication include basic credentials, OAuth 2.0, and custom authentication.
For more information, see:
After the initial authentication, session management features ensure that requests for access to the system (and its data) continue to come from authenticated requestors. In Pega Platform, you can define various policies to control session time-outs, automatically terminate sessions, deactivate operators after successive days of inactivity, run cross-origin resource sharing (CORS), detect cross-site request forgery (CSRF), and so on.
- Creating an authentication service
To override or extend the default authentication process, create an authentication service. By creating an authentication service, you implement more specialized authentication requirements than the default, for example, to use pre-authentication and post-authentication activities.
- Authenticating requests in services
You can configure Pega Platform to access external systems to retrieve data and perform application processing. Similarly, you can allow external systems to access services in Pega Platform. By communicating with external systems, you can make use of functionality that has already been configured, and avoid the need to duplicate the same functions in multiple applications.
- Using JNDI to specify an LDAP server when using an authentication service
You can set up an authentication service to override or extend the default Pega Platform™ authentication process. You can enter a Java Naming and Directory Interface (JNDI) entry, which represents a directory located on the LDAP server. Using JNDI enables you relocate servers without having to reconfigure the application.
- Authentication time-out
When users are inactive for a certain period of time, Pega Platform requires users to reauthenticate by entering their login credentials. The browser session cannot resume until the login and password are accepted. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session. However, if reauthentication fails or is canceled, some or all of the data on the screen might continue to be displayed.
Authorization ensures that after logging in, users have access to only the features and data that they need for their work. Pega Platform offers three types of authorization: role-based access control, attribute-based access control, and client-based access control. You can use these authorization features together to provide the strictest level of control.
With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.
- Security operations
Beyond authentication, authorization, and auditing, Pega Platform offers many other configurable security features, such as encryption, HTTP response headers, and Web Service Security profiles. Use these features to ensure that your application is as secure as possible.
Pega Platform protects you against a wide variety of adverse security risks, whether inadvertent or malicious. Use the platform features related to authentication, authorization, and auditing to protect and monitor the use of your application.