To customize the login process, you can write activities that are triggered before and
after SAML SSO authentication. For example, a postauthentication activity can update the
operator record with values from the service provider or refuse an automatically provisioned
user access to an application.
-
Create your preauthentication and postauthentication activities. For more
information, see the sample activities
pySSOPreAuthenticationActivity and
pySSOPostAuthenticationActivity.
- The preauthentication activity must be accessible to the pega Browser
requestor type, which is used for the unauthenticated user session. By
default, this requestor type is assigned to the PRPC:Unauthenticated
access group. Update the pega Browser requestor type's default access
group to equal an access group that includes the ruleset of the
preauthentication activity.
- The postauthentication activity must be accessible to the user who has
just been authenticated. The postauthentication activity must exist in a
ruleset that is accessible to the user's default access group.
- The activities must have Code-Security as the Applies
To key part.
- Set the authentication result in
pyAuthenticationPolicyResult to
true to proceed with authentication or set to
false to terminate the request; for example:
tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "true");
-
Open the authentication service.
-
In the
SAML 2.0
tab, expand the
Advanced
configuration settings
section.
-
In the Pre-authentication activity field, enter the name of the
preauthentication activity.
-
In the Post-authentication activity field, enter the name of
the postauthentication activity.
-
Click
Save.