Table of Contents



Only available versions of this content are shown in the dropdown

Apply authentication methods to ensure that only users and systems with a verified identity can access your applications, web pages, APIs, and data. Authentication includes verifying user credentials, Pega Platform requests to external services, and external service requests to Pega Platform. You can also authenticate by using an external identity provider.

User credentials

In a browser, a user logs in to a Pega Platform application, or a developer logs in to Dev Studio to make changes to an application. Authentication services verify these user credentials.

For more information, see Authentication services.

The following table lists the protocols for user logins that Pega Platform supports.

Authentication type Protocol
SAML 2.0 An external identity provider that supports the SAML 2.0 protocol, such as Microsoft Active Directory.

For more information, see Web single sign-on (SSO) with SAML 2.0.

OpenID Connect An external identity provider that supports the OpenID Connect (OIDC) protocol.
Basic Credentials A user ID and password that are stored in the Pega Platform database or in another internal or external data source.
Token Credentials A token that is validated by an external identity provider or by the OAuth 2.0 authorization layer in Pega Platform (often used in offline mobile applications).
Anonymous Supports activity by guest users, who are prompted to authenticate themselves partway through a session.

For example, an unauthenticated user can add items to a shopping cart, and enter credentials when they check out.

Custom Uses none of the above meets your requirements or meets your use case, you can write your own logic to challenge users for credentials and to validate the credentials. For example, using a Lightweight Directory Access Protocol (LDAP)-compliant directory server.
Kerberos A computer-network authentication protocol that is based on tickets that can be securely presented by a client or a service on the client's behalf to a server for access to services.

You can configure a custom authentication service to use information that is stored within the identity provider to determine the user roles and privileges in Pega Platform.

Make your application more secure by using simple selections in the authentication service rule form to implement policies such as multi-factor authentication. For example, each time a user logs in, the application can send an authentication code to the user by email. To log in, the user enters that code in addition to a password.

You can use authentication services (including SAML 2.0, OpenID Connect, or token credentials) to implement single sign-on (SSO) solutions. SSO solutions limit repetitive requests for credentials when users access a variety of systems or applications.

For complete control over the login process, you can define custom authentication services.

Pega Platform connectors Requests to external services from Pega Platform connectors

To invoke an external REST service to get information from an external system or application, a Pega Platform application must authenticate to that service. This type of authentication uses an authentication profile and OAuth provider data instances. The supported forms of authentication include basic credentials, NT LAN Manager credentials (NTLM), and OAuth 2.0.

For more information, see:

External requests for execution to Pega Platform services

An external system or application can invoke a REST service that is defined in Pega Platform or within a Pega Platform application to get case information. This type of authentication uses a service type and service package instances. Supported forms of authentication include basic credentials, OAuth 2.0, and custom authentication.

For more information, see:

Session management

After the initial authentication, the session management features in Pega Platform ensure that requests for access to the system and its data only come from authenticated requestors.

In Pega Platform, you can define various policies to control session time-outs, automatically terminate sessions, deactivate operators after successive days of inactivity, run cross-origin resource sharing (CORS), and detect cross-site request forgery (CSRF).

Authentication process flow

In Pega Platform, during a user-interactive login, the authentication service rules perform the following functions, in order:

For token-based authentication types, step 3 is skipped. For anonymous authentication types steps 3–7 are skipped.
  1. Pega Platform determines if this is the initial user request.
  2. Pega Platform initializes an unauthenticated session.
    1. The application context for the session in this state is provided by the access group specified by the browser requestor type:

      The access group specified by the browser requestor type
      The access group is specified in the Definition tab of
                                            the browser requestor type.

  3. Executes the pre-authentication activity, if any.
  4. Prompts for and verifies operator credentials.
    1. If a Basic authentication service, operator credentials are always promoted and verified.
    2. If a SSO authentication service, the external identity provider may prompt for credentials if needed.
    3. If a Custom authentication service, the behavior depends on authentication activity logic, with the typical response being a login page.
  5. Verifies operator identity in the database. If provisioning of new operators is disabled and the operator does not exist, authentication fails.
  6. If this is the operator’s first login and provisioning is enabled, creates a new operator instance based on a model operator or through a data transform.
  7. Maps information from the identity provider or from data pages to the clipboard.
  8. Persists the operator information from the clipboard to the operator record in the database.
  9. Invokes client-selected security policies, such as multi-factor authentication (MFA), CAPTCHA, and Attestation.
  10. Session is marked as authenticated.
  11. Application context for the session is established based on the requested application or the application specified in the default access group.
  12. Executes the post-authentication activity, if any.
    The session established in step 1 has a short time-out period, which is set to two minutes. If the session sits idle in excess of this time period at any point during login, then the session will be destroyed. This is the only feature within Pega Platform that attempts to mitigate DOS attacks.

A simplified overview of the Authorization process flow
A flow chart of the Authorization process flow described above

Related Content




Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.