Specifying preauthentication and postauthentication activities for an OpenID Connect authentication service

To customize the login process, you can write activities that will be triggered before and after OpenID Connect authentication. For example, a postauthentication activity can update the operator record with values from the service provider or can refuse an automatically provisioned user access to an application.

  1. Create your preauthentication and postauthentication activities. For more information, see the sample activities pySSOPreAuthenticationActivity and pySSOPostAuthenticationActivity.
    • The preauthentication activity must be accessible to the pega Browser requestor type, which is used for the unauthenticated user session. By default, this requestor type is assigned to the PRPC:Unauthenticated access group. Update the pega Browser requestor type's default access group to equal an access group that includes the ruleset of the preauthentication activity.
    • The postauthentication activity must be accessible to the user who has just been authenticated. The postauthentication activity must exist in a ruleset that is accessible to the user's default access group.
    • The activities must have Code-Security as the Applies To key part.
    • Set the authentication result in pyAuthenticationPolicyResult to true to proceed with authentication or set to false to terminate the request; for example:
       tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "true");
  2. Open the authentication service.
  3. On the OpenID Connect tab, expand the Advanced configuration settings section.
  4. In the Pre-authentication activity field, enter the name of the preauthentication activity.
  5. In the Post-authentication activity field, enter the name of the postauthentication activity.
  6. Click Save.
What to do next:  Configuring operator provisioning for an OpenID Connect authentication service