Skip to main content

Question

 Ramon de la Campa (Ramond16772579)
Ministerio de Justicia

Ministerio de Justicia
ES
Ramond16772579 Member since 2023 1 post
Ministerio de Justicia
Posted: Sep 29, 2025
Last activity: Oct 6, 2025
Posted: 29 Sep 2025 13:35 EDT
Last activity: 6 Oct 2025 13:09 EDT

How to check user identity after SAML SSO authentication

We configured an SSO in our Pega app using a SAML Authentication Service. Users log in providing a personal certificate or a password. Once authenticated, somewhere in the business process (due to security requirements) we need to ask the user for credentials again in order to validate those against IdP (same used in SSO). Our doubt is how we could manage this with Pega. We are in Pega Infinity '24.2.2.

Our requirement is quite the same as this:

Invoke SAML post SSO as a step up authentication | Support Center

 

Our First Approach

IdP team provided us with a new federation for (something like) a re-authentication. So, we configured a second SAML Authentication Service pointing to new IdP metadata. We configured a button to call the new SAML Auth. Service to validate the identity. The result is user is not asked to introduce certificate or password again. Instead, the user gets into the app with no extra validation. Is there a way we could force this second call to the SAML Auth. Service?

***Edited by Moderator Marissa to add Capability tags***
To see attachments, please log in.
Pega Platform 24.2.2
Pega Platform
System Administration

Posted: 8 months ago
Posted: 2 Oct 2025 22:50 EDT
Sairohith Thummarakoti (Sairohith)
HCA Healthcare
Sairohith Thummarakoti
HCA Healthcare
US

@Ramond16772579 you can’t “force” re-prompting from Pega alone; the IdP must honor a fresh login. Here’s the workable setup. Create a second SAML Authentication Service for step-up and set ForceAuthn=true and a stricter RequestedAuthnContext (exact match) like MFA/smartcard. Ask the IdP team to enforce “require fresh authentication” for that federation (ignore existing SSO session/cookie) or set an IdP policy that ForceAuthn on this SP app always triggers re-verification. From your flow, launch SP-initiated SAML by calling Data-Admin-Security-AuthenticationService.pzInitiateSAMLWebSSO with the step-up auth service name and pass a RelayState back to your case/assignment. On ACS success, use the post-auth activity to validate the asserted user/attributes against the current operator and set a “step-up verified” flag on the case/session. If the IdP won’t enforce ForceAuthn, your only alternatives are logging out (pxRequestorLogoff) or using a different IdP app that always prompts—both are clunky. The key is IdP policy + ForceAuthn + RequestedAuthnContext.

To see attachments, please log in.
Posted: 8 months ago
Posted: 6 Oct 2025 13:09 EDT
Ramon de la Campa (Ramond16772579)
Ministerio de Justicia

Ministerio de Justicia
ES

@Sairohith ​​​​​, first of all thanks for your support, I really appreciate it. I have some doubts about your solution: 
1) What do you mean when you say (talking about new auth. service) "to set stricter RequestedAuthnContext (exact match) like MFA/smartcard"?
2) I cannot find Data-Admin-Security-AuthenticationService.pzInitiateSAMLWebSSO. I am in Infinity 24. Could its name had changed?

Thanks again!

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice