Creating an identity mapping data instance

If you register a user through OAuth 2.0 Client Registration that is authenticated through SAML 2.0 Assertion, JSON Web Token, or a custom source, you need to specify how the Pega server identifies an operator. Use the Identity Mapping data instance to create a profile, and map attributes, claims, or password credentials to operator record properties to identify an operator.

  1. In Dev Studio, in the navigation panel, click Records > Security > Identity Mapping.
  2. Click Create.
  3. In the Name field, enter the name of the identity mapping profile.
  4. In the Short description field, enter a short description of the identity mapping profile.
  5. In the Source field, choose one of the following options to select the source of the Identity Mapping.
    • SAML 2.0 Assertion – Select to map operator attributes from a SAML 2.0 Assertion source.
      1. Click Create and open.
      2. In the Signature verification section, in the Truststore field, press the Down Arrow key and select the same keystore that is used by the SAML 2.0 Assertion and that verifies the token.
      3. In the Attribute Name field, enter an attribute to map the .pyUserIdentifier property to identify an existing operator.
      4. In the Processing options section, in the Post processing activity field, enter the name of your post-processing activity. The post-processing activity can connect to any external entity to get additional data, and enrich the OperatorID page with attributes that are available on the assertion page. You can use the pzSAMLBearerIdentityMappingAct activity as a reference while creating your own post-processing activity.
    • JSON Web Token – Select to map operator attributes from a JSON Web Token source.
      CAUTION:
      You need to create a new identity mapping instance and token profile. In the token profile, specify the Issuer and Audience claim in the Claim validation section, the Subject and Expiration Time claim in the Claims mapping section, and a keystore in the Truststore field. For more information, see Processing a JSON Web Token.
      1. Click Create and open.
      2. In the Token Validation section, in the Token processing profile field, press the Down Arrow key and select the JSON Web Token profile that you created to validate the token.
      3. In the Processing options section, in the Post processing activity field, press the Down Arrow key and the pyJWTBearerIdentityMappingAct activity that processes the JSON Web Token.
      4. Modify the pyJWTBearerIdentityMappingAct activity to map the claims in the Claim mapping and Advanced mapping section in the token profile to the operator page.
    • Custom – Select to map operator attributes from a Custom source.
      CAUTION:
      For external users, modify steps 3, 4 and 5 in the pyCustomIdentityMappingAct activity. In addition, you must populate the pyOperPage parameter if it is not populated in the custom activity.
      1. Click Create and open.
      2. In the Processing options section, in the Post processing activity field, press the Down Arrow key and select the activity name that is used to identify the operator through the password credentials.
  6. Click Save.