Authentication Service -- Tips and Tricks
Below is what I've learnt about the Authentication Service rule. I have used it in Pega 8.1. and Pega 8.4.
Anyone have any tips on how to map Workgroup lists, with a dynamic number of instances? I know a hacky way to workaround the limitation of having no pagelist mapping, on the Mapping tab, and I've also use a Post-Authentication Activity.
- TIP: Use 'Global Resource Settings' (GRS) -- e.g. a Data Page populated by Dynamic System Setting values -- for the IDP and SP settings. Ensure that Data Page used for GRS is accessible to the WebSSO Service Package’s Access Group
- TIP: Populate a Data Page with the data to map to the Operator, and use the Mapping tab (for text and value list mapping)
- TIP: If the Data Page used for mapping needs access to the operator’s original Operator ID record:
- Use the Mapping tab to populate a Clipboard page, of type Data-Admin-Operator-ID, e.g. “SSOOperator”, with the User ID (e.g. the token containing this)
- In the Data Page load: Set ‘SSOOperator’ to the Operator ID record, i.e. a Data Page with a lookup on the passed User ID parameter
- TIP: To force the authentication process to fail, without creating an Operator ID record, select ‘Attribute or Datapage reference’ for the Operator identification, and have the Data Page logic only set its reference property (which is mapped to OperatorID.pyUserIdentifier) only when the user has been validated by the IDP
- The pre-authentication Activity only has access to the unauthenticated Requestor page, so it has some information (such as whether a mobile device is being used) but at this point the user is unknown
- The ‘enable operator provisioning using model operator’ option:
- Only takes effect if the Operator doesn’t exist
- If ‘by name’: will interpret the configured ‘Model operator’ field as a token unless entered in double-quotes
- The Pre-authentication Activity runs in the context of the BROWSER Requestor, and the Post-authentication Activity runs in the context of the Access Group of the operator
- It is possible to update the current operator’s Data-Admin-Operator-ID record, in the Post-authentication Activity, but only if the operator’s Access Group has permission to do so.
- Post-Auth Activity will not run if operator’s Operator ID record has pyOperatorIsDeactivated set to true
- The Mapping tab will only map from Text and Value list type properties
- The Post-Auth Activity can update the Operator ID record with an Obj-Save (if it has authorisation) and has to use Write Now option
- Both the Pre- and Post- authentication Activity rules – if they are configured on the Auth Service at all – must execute the following otherwise the authentication will fail:
tools.getRequestor().getRequestorPage().putString(“pyAuthenticationPolicyResult”,”true”);
Updated: 2 Jun 2021 23:37 EDT
Tech Mahindra Ltd
CA
@FOSTS You have mentioned that you were able to map a dynamic list. Was it done solely by using the mapping tab or did you use the post authentication activity?
Pegasystems Inc.
GB
@Sudipta Biswas , sorry I didn't see this earlier. I did use a Post-Authentication Activity
Updated: 5 Jan 2022 14:25 EST
Tech Mahindra
IN
Thanks for sharing the tips here. If I want to set the workgroup list and work basket list, I have to use post authentication activity but if I decided to set access group, multiple access group list or primary work group, I can use mapping tab for new user or an existing user.
But why don’t we have a way to set pagelist in mapping tab??? Is there any limitation???
Pegasystems Inc.
GB
This point was raised with the department responsible for the development of this Platform feature. I'm still working on an 8.4 platform so I can't be certain that this hasn't changed. However, looking at the 'What's New' and Help pages -- for versions 8.5 and 8.6 -- I can't see any evidence that this limitation has gone.
Would be very interested if anyone knows differently :)
Pegasystems Inc.
GB
@Nizam enhancement FDBK-71251 has not yet made it into 8.6.
Currently the workaround as listed above still needs to be used ( using a lookup in the Data Page used in the mapping).
Tech Mahindra
CA
@FOSTS Providing the option of forcing operator overriding as needed will be lot helpful for implementation.
The ‘enable operator provisioning using model operator’ option:
- Only takes effect if the Operator doesn’t exist
In our use case, we need to take use different accessgroup based on where the application is launched from. Is there a way to achieve this in Post Authentication Activity ? like set the new accessgroup and refresh the pxRequestor and other system pages
Pegasystems Inc.
GB
@MNC001 ,
You can set the Access Group in either/both the Mapping tab and in the Post-Authentication Activity. This will overwrite the Access Group already set from the Model Operator. I would assume that the pxRequestor etc would be set accordingly, but I don't know the full context of what you are trying to configure.
TATA CONSULTANCY SERVICES LTD.
IN
@FOSTS Scenario - We are deriving model operator through {UserID},But Operator ID record has pyOperatorIsDeactivated set to true, As you mentioned
- Post-Auth Activity will not run if operator’s Operator ID record has pyOperatorIsDeactivated set to true
- The Pre-authentication Activity runs in the context of the BROWSER Requestor, and the Post-authentication Activity runs in the context of the Access Group of the operator
- The pre-authentication Activity only has access to the unauthenticated Requestor page, so it has some information (such as whether a mobile device is being used) but at this point the user is unknown
How can we enable operator record using Pre Authentication activity ? Since, user is unknow during pre-authentication how can we get user name to call ootb to enable operatorID?
Is there any work around ? Please share your thoughts on this.
We are using PEGA 8.5.4.
Pegasystems Inc.
GB
You can map "false" to .pyOperatorIsDeactivated on the Mapping tab.
In the Post-Authentication Activity you can add logic that sets this back to "true" if required (e.g. initialise as true, then conditionally set to false)
Intellativ
US
@FOSTS on the mapping tab, if the email address is mapped directly to pyAddresses(Email).pyEmailAddress, the declare index rules on pyAddresses(Email) are not firing. Is that an expected behavior?
W&W
DE
we are using the openid connect authentication service and have a problem with mapping.
The {email} could not be mapping in mapping tab. we doubt that pega used access token during mapping the claims to clipboard property.
As a workaround we created a post-auth activity to read the email extra from id token and update the operator record, and it workes. But we would like to use the ootb mapping to map email instead of a post-auth activity.
It is verfiyed that email is in ID Token.
Does anyone have an idea, why the mapping didn't work.
Best Regards