Configuring operator provisioning for a SAML SSO authentication service

When an operator who is not defined in Pega Platform logs in for the first time, Pega Platform can automatically create the operator record with values from the service provider. To do this, you configure operator provisioning for the authentication service. This configuration eliminates the manual step of adding the operator record.

Note:
  • If authentication fails, operator provisioning does not occur.
  • If authentication succeeds and the operator record is already defined in Pega Platform, you can update it with values from the authentication provider by creating a postauthentication activity.
  1. Open the service from the navigation panel in Dev Studio by clicking Records > SysAdmin > Authentication Service and choosing a service from the instance list, and then click the SAML 2.0 tab.
  2. In the Operator identification section, select Enable operator provisioning using model operator.
  3. To construct an operator by copying a specific model, click By name and enter a value for Model operator.
    This is the operator ID for the operator record to be copied. If the value contains a period ("."), enclose the value in double quotation marks, for example, "abc.def".
  4. To identify the model operator by using an expression, click By name, and next to the Model operator field, click the Build an expression icon and create an expression that returns the operator ID to be copied.
  5. To identify the model operator by using organizational information, click By organization hierarchy and enter values for Org (organization), Div (division), and Unit. You can also provide an expression for each of these fields.
    The Model User value in the Unit instance provides the model operator for constructing the new operator.
  6. To create the operator by using a data transform, click By data transform and enter the data transform name.
    The applies to class of the data transform must be Data-Admin-Operator-ID. For an example data transform, see pyDefaultForNonPegaOperator. If the data transform copies property values from a model operator, you must first create an operator instance in the database for the model operator. Otherwise, you do not need to create a model operator.
  7. At a minimum, you must provide values for the properties listed below before the postauthentication activity (if any) is run. You can populate them from the model operator or the data transform, or you can explicitly map to them by using the Mapping tab. Do not change them in the postauthentication activity.
    Property name Description
    OperatorID.pyAccessGroup Operator's default access group
    OperatorID.pyAccessGroupsAdditional List of all of the operator's access groups, including the default access group
    OperatorID.pyOrganization Organization
    OperatorID.pyOrgDivision Division
    OperatorID.pyOrgUnit Unit
    Note: The value for the newly created operator ID (OperatorID.pyUserIdentifier) is the value from the main tab in the Map operator id from section.
  8. Click Save.
What to do next:  Overriding the service provider settings for a SAML SSO authentication service