Discussion
Pegasystems Inc.
NL
Last activity: 29 Oct 2021 4:15 EDT
cLSA Security Excellence webinar recording + handout - January 2021
On January 11 and 12 we hosted the cLSA Security Excellence webinar as part of the CLSA Continuous Excellence Enablement (C2E) program that is focussed on targeted content on platform topics and from a Pega 8 perspective. This webinar was focussed on security and discussed authentication, authorization and security features in Pega.
As an attachment the handout is added (visible when you are logged in).
The Q&A can be found here: https://collaborate.pega.com/discussion/clsa-security-excellence-webinar-qa
tx
Dion
AI4Process Ltd
GB
How to map multiple access group when user have access to multiple applications. What is the recommended approach to dynamically assign one or more access group to a user during user authentication.
I found below article related to this, but it describes how to configure a single access group and activity so that the correct role combination is dynamically added to the operator's clipboard page when they log in, but not multiple access group.
Pegasystems Inc.
NL
I would like to understand the requirements around this better; specifically around which application to choose. Is that dynamic or not. Could you please send me an email ([email protected]) so I can look at this further.
Bank of Nova Scotia
CA
On Slide 33, it is using a DataPage property in the Mapping example. I know the screen was taken from 8.5. I want to make sure that the use of a DataPage property is also supported in 8.4.
thx
Terence
Updated: 16 Feb 2021 16:30 EST
Pegasystems Inc.
NL
Around the use of data pages for the operator provisioning; this should be available as of 7.4. This was the first version that supported a genuine declarative approach with Data Pages and Data Transforms.
Tx
Bank of Nova Scotia
CA
Hi Dion, in the example on at around slides 48, for the purpose of securing a Pega API using OAuth2, it was using Pega as an OAuth2 Provider.
If we have a requirement to use an external OAuth2 provider for exposing a Service REST:
- Can we still use "OAuth2" in the Service Package Authentication Type?
- If yes, how do we configure to use the external OAuth2 provider's JWK url's?
- If not, if we use "Custom" in the Service Package Authentication Type, what should be done? Any links to examples will be appreciated.
Pegasystems Inc.
NL
Hi Terence,
When processing an external JWT, we set the Service Package to Custom and use pxProcessJWT activity to call the Token Profile. The identity mapping page created can then be used by the activity that calls pxProcessJWT to map to an existing operator with the correct AG and roles to run the API. You can create a key store instance of type URL to reference the JWK. This key store instance can be referenced from the Token Profile.
This picture shows the interaction:
Bank of Nova Scotia
CA
@DionLammers , thanks a lot. This is great information.
Updated: 23 Oct 2021 16:12 EDT
Bradesco Seguros
BR
I would like to ask a question regarding the following situation: OpenID Connect / SAML 2.0 to work on SSL offloading environment
We are configuring the SSO structure with my client, where we are configuring the authentication service, using the standard by OpenIDConnect.
We are using a structure where the SSL certificate is available in the balancer layer (BIGIP – https) and the application is installed on a tomcat server, without using https, because this is the model they use.
We need confirmation of the best procedure to be used, so that this configuration allows the client access to trigger the BIGIP - take the call by triggering the authentication service through OPENID Connect and be able to redirect the call to enable the access of the user.
We are trying to use the following Approach, indicated in the PDN, however, I would like to understand wich the best way to configure this type of structure
Could you give a one example ?
Pegasystems Inc.
CH
@GuiValino1984 Hi, you can use either approach outlined in the link. As long as Pega is setting the redirect_uri parameter on /authorize to the same /prweb/PRAUTH value set on the IDP client registration you will be fine. In your case, you will be setting the BIGIP url in both places.