Hi. 

Pega supports OOTB multiple authentication providers which can also become configured as authentication services on an application rule. Normally these providers can also act as an authorization provider (defines at the end the access groups on the operator instance), but must not. For my question let's assume that authentication provider is also authorization provider and i call it auth provider in this post. Now to my sceanrio and the question. 

Scenario:

2 auth provider provision following access groups to the same operator instance

Provider 1: AG1, AG2, AG3

Provider 2: AG3, AG4, AG5

Each AG is pointing to another application. Each application has configured the related authentication service for the auth provider on the application rule.

Authentication services will update the access groups during each login, but only this where they are the provisioner. There is no other way for update. Via a custom enhancement of operator data model we also know which provider have provisioned which access group.

That means after user log in with provider 1 and 2 he has following access groups on his operator instance: AG1, AG2, AG3, AG4, AG5. Also the information that AG1, AG2 are coming from provider 1 and AG4, AG5 are coming from provider 2 and AG3 coming from provider 1 and 2 is known as per custom enhancement. 

From a security perspective everything workes fine so far. When user logs in with one of the authentication services, the OOTB validations (i.e. my application switch gadget) are taking care about reauthentication want to switch from the current application to another which is not in scope of current authentication.

Now coming to the tricky point in this scenario. During some time we login with provider 1 and we are getting only AG1 and AG2 for the user. That means custom enhancement is updated, that AG3 is coming only from provider 2 now.

But looking now to the seurity perspective, we will run into a problem with the OOTB validations in application switching. As mentioned before user logs in via provider 1 to AG1 and here he select to switch to AG3. In this scenario, the reauthentication will not be triggered again as authentication service for provider 1 is configured on the application rule for AG3.

I think the security gap could be solved by having an enhancement point in activit pyValidateSwitchApplication     of class Code-Security (ruleset   Pega-ProcessArchitect [08-06-01]) in case of success.

But maybe in not intended in the Pega platform to have different authorization providers, but different authentication providers? Or is my scenario wrongly build and it is better to have dedicated operator instances for each authorization provider? 

What would be your idea on that?

Happy to run a discussion on that.

Regards, Matthias