Question
Deutsche Telekom Services Europe SE (DTSE)
DE
Last activity: 5 Oct 2022 16:23 EDT
Available Apps filtered on external authentication provider login method
Hi.
We have an external authentication provider which provides different methods of logins to the user (e.g. via windows credentials or smartcard). Depending on the chosen login method different sets of access groups in our Pega patform should be available for the user.
The authentication service is based on SAML 2 and we receive (next to general user information's) the chosen login method and the information about all possible accessgroups for the user in the SAML 2 token.
Information about which access groups are allowed in which login method are available in Pega.
All possible accessgroups are stored on the operator instance during the login. If we would only store the allowed access groups, based on the current login method, it would move the operator instance to a browser session related level, what it isn't. It is a platform instance and by this it needs all possible accessgroups. The login method is on browser session level and must be handled there.
To handle the requirement in a first step we would be able to stop the login on the Pega side in the postprocessing of the authentication method. But in case this will be passed and user is entering the application, than he could OOTB switch the accessgroup from a portal. Our current idea to limit the available access groups in the menue is to update the pxRequestor.pxSecuritySnapshot.pxAvailableApps list in the pyrequestorSetupExtension activity. But this update is not reflected from the system.
Hi.
We have an external authentication provider which provides different methods of logins to the user (e.g. via windows credentials or smartcard). Depending on the chosen login method different sets of access groups in our Pega patform should be available for the user.
The authentication service is based on SAML 2 and we receive (next to general user information's) the chosen login method and the information about all possible accessgroups for the user in the SAML 2 token.
Information about which access groups are allowed in which login method are available in Pega.
All possible accessgroups are stored on the operator instance during the login. If we would only store the allowed access groups, based on the current login method, it would move the operator instance to a browser session related level, what it isn't. It is a platform instance and by this it needs all possible accessgroups. The login method is on browser session level and must be handled there.
To handle the requirement in a first step we would be able to stop the login on the Pega side in the postprocessing of the authentication method. But in case this will be passed and user is entering the application, than he could OOTB switch the accessgroup from a portal. Our current idea to limit the available access groups in the menue is to update the pxRequestor.pxSecuritySnapshot.pxAvailableApps list in the pyrequestorSetupExtension activity. But this update is not reflected from the system.
Can some give me a feedback or hint, if we are on the correct way and explain the problem? Maybe there is a much better solution to handle the requriement?
Thanks in advance.
Regards, Matthias
***Edited by Moderator Marije to add Capability tags***