Authentication in Pega Platform
Authentication in Pega Platform™ ensures that only users and systems whose identity has been verified can access resources such as web pages, APIs, and data. Examples of authentication in Pega Platform include user logins, platform requests to external services, and external service requests to the platform.
In a browser, a user logs in to a Pega Platform application, or a Pega developer logs in to Dev Studio to make changes to an application. Authentication services verify the user credentials. For more information, see Authentication services.
Pega Platform supports the following protocols for user logins.
- Basic credentials – User identity is verified through a user ID and password that can be stored in the Pega database or another internal or external data source.
- SAML 2.0 – User identity is verified through an external identity provider that supports the SAML 2.0 protocol, such as Microsoft Active Directory. For more information, see Web single sign-on (SSO) with SAML 2.0.
- OpenID Connect – User identity is verified through an external identity provider that supports the OpenID Connect (OIDC) protocol.
- Anonymous – User identity is not verified until partway through a session. For example, an unauthenticated user can add items to a shopping cart, and enter credentials when they check out.
- Token credentials – User identity is verified through use of a token that is validated by an external identity provider or by the Pega Platform OAuth 2.0 authorization layer; often used in offline mobile applications.
You can customize authentication services to use information that is stored within the identity provider to determine the user's roles and privileges in Pega Platform.
Make your application more secure by using simple selections in the authentication service rule form to implement policies such as multifactor authentication. For example, each time a user logs in, the application can send an authentication code to the user by email. To log in, the user enters that code in addition to a password.
You can use authentication services that apply the SAML 2.0, OpenID Connect, or token credentials protocol to implement single sign-on (SSO) solutions. SSO solutions limit repetitive requests for credentials when users access a variety of systems or applications.
For complete control over the login process, you can define custom authentication services.
Pega Platform connectors request external services
To invoke an external REST service to get information from an external system or application, a Pega Platform application must authenticate to that service. This type of authentication uses authentication profile and OAuth provider data instances. The supported forms of authentication include basic credentials, NT LAN Manager credentials (NTLM), OAuth 1.0, and OAuth 2.0. For more information, see Authentication profiles and Setting up an OAuth 2.0 provider.
Pega Platform services receive external requests for execution
An external system or application can invoke a REST service that is defined in Pega Platform or within a Pega application, for example, to get case information. This type of authentication uses service type and service package instances. The forms of authentication that are supported include basic credentials, OAuth 2.0, and custom authentication. For more information, see Integration services and Service packages.
After the initial authentication, session management features ensure that requests for access to the system and data continue to come from authenticated requestors. In Pega Platform, you can define various policies to control session time-outs, automatically terminate sessions, deactivate operators after successive days of inactivity, cross-origin resource sharing (CORS), cross-site request forgery (CSRF), and and so on.