To customize the login process, you can write activities that are triggered before and
after SAML SSO authentication. For example, a postauthentication activity can update the
operator record with values from the service provider or refuse an automatically provisioned
user access to an application.
-
Create your preauthentication and postauthentication activities. For more
information, see the sample activities
pySSOPreAuthenticationActivity and
pySSOPostAuthenticationActivity.
- The preauthentication activity must be accessible
to the pega Browser requestor type, which is used for the
unauthenticated user session. By default, this requestor type is
assigned to the PRPC:Unauthenticated access group.
Update the pega Browser requestor type's default
access group to equal an access group that includes the ruleset of the
preauthentication activity.
- The postauthentication activity must be
accessible to the user who has just been authenticated. The
postauthentication activity must exist in a ruleset that is accessible
to the user's default access group.
- The activities must have Code-Security as the Applies
To key part.
- Set the authentication result in
pyAuthenticationPolicyResult to
true to proceed with authentication, or set to
false to terminate the request; for example:
tools.getRequestor().getRequestorPage().putString("pyAuthenticationPolicyResult", "true");
-
Open the authentication service.
-
On the SAML 2.0 tab, expand the Advanced
configuration settings section.
-
In the Pre-authentication activity field, enter the name of the
preauthentication activity.
-
In the Post-authentication activity field, enter the name of
the postauthentication activity.
-
Click
Save.