Question
Deutsche Telekom Services Europe SE (DTSE)
DE
Last activity: 5 Oct 2022 2:06 EDT
App alias + external operator provisioning
Hi.
We are using SAML2 authentication with provisioning of operator (especially access groups), based on informations from an external system. By this we are requested to update the operator instance during each login, when it differes from the informations received from external system.
The update of the operator instance is done in the post authentication methode of the authentication service, as requested per Pega documentation. Here the current requestor is in an authenticated state and initialized with an access group from the existing operator instance (before update).
We are using Pega 8.4.5 and we want now to use also app aliases for accessing our applications directly. We face following problem, where we need some help / guidance.
When accessing the Pega platform with an URL which contains the app alias, it checks and fails before post authentication activity, if the operator has an valid access group for the requested app in URL (highest one in pyAccessGroupsAdditional of operator instance is chosen to initiate the requestor). But this will not work, when the access groups for this app are added in the update of the Operator instance during post authentication activity.
How it is supposed to handle such a setup, which is quite common? We tried to update the operator instance from data page which can be configured to map the operator id, but here we are getting exceptions when saving the operator instance or calling some OOTB activities, because requestor is not authenticated in that point of time.
Hi.
We are using SAML2 authentication with provisioning of operator (especially access groups), based on informations from an external system. By this we are requested to update the operator instance during each login, when it differes from the informations received from external system.
The update of the operator instance is done in the post authentication methode of the authentication service, as requested per Pega documentation. Here the current requestor is in an authenticated state and initialized with an access group from the existing operator instance (before update).
We are using Pega 8.4.5 and we want now to use also app aliases for accessing our applications directly. We face following problem, where we need some help / guidance.
When accessing the Pega platform with an URL which contains the app alias, it checks and fails before post authentication activity, if the operator has an valid access group for the requested app in URL (highest one in pyAccessGroupsAdditional of operator instance is chosen to initiate the requestor). But this will not work, when the access groups for this app are added in the update of the Operator instance during post authentication activity.
How it is supposed to handle such a setup, which is quite common? We tried to update the operator instance from data page which can be configured to map the operator id, but here we are getting exceptions when saving the operator instance or calling some OOTB activities, because requestor is not authenticated in that point of time.
Thanks in advance for your help.
**********************************************************************************************************
Update
**********************************************************************************************************
We solved the problem by a data page which is collecting all operator related updates (like pyAccessGroupsAdditional for the operator). This data page is than used in the mapping tab of the authentication service in the source to update the related properties on the OperatorID page.
This will also automatically update the operator instance in the database with the necessary updates.