Authentication design considerations

Authentication in Pega Platform™ helps to ensure that only users and systems with verified identities can access your applications. Each organization has policies on how user authentication occurs in the application. Most organizations use single sign-on (SSO). If the organization runs an enterprise-tier deployment, it might use container-based authentication or JAAS or JEE security. The container-based setup impacts how you design your authentication scheme and your application.

The Pega Platform application implements the authentication policy of the organization. For more information about the authentication protocols that Pega Platform supports, see Authentication.

The following diagram shows the different protocols for user logins that Pega Platform supports and how the system maps the operator ID to an Access Group, Access Roles, and privileges to access the application securely. Pega Platform uses basic credentials and supports SAML 2.0, Anonymous, Oauth2, OIDC (Open ID Connect), token credentials, custom, and Kerberos, as shown in the following figure:

Pega Platform can act as the identity provider (IdP) or use an IdP to authenticate users. For example, Active Directory Federation Services (ADFS) by Microsoft is an external IDP used in the on-premise version of Pega Platform and the Microsoft Azure cloud offering.

Pega Platform is the IdP when the authentication type is Basic credentials. You configure basic credentials to authenticate users on the Security tab of the Operator ID record of a user by clearing the Use external authentication checkbox, as shown in the following figure:

Check your knowledge with the following interaction: