Custom Authentication
Hi,
We installed Pega 7.1.9. We would to configure custom authentication with Oracle Access Manager as Service Provider per paragraph below (this is from the authentication overview of Pega e-learning). Is there anyone familiar with this process/configuration can help us? We plan to move Pega to QA and production soon. High level steps would be nice as well.
Thanks
BB
Web Access Management
Let’s look at a typical Web Access Management implementation with PRPC sing CA SiteMinder. The same general mechanism applies to all offâtheâshelf Web Access Management solutions.
1. User Requests a protected resource – For example:
http://www.mycorp.com/PRExtAuthServlet
2. Web Agent examines request and queries Policy Server to determine if PRExtAuthServlet is a protected resource. If so, Web Agent checks wether or not the user has been authenticated.
3. If they have not been, the user is presented with the login form.
4. The Policy Server passes the credentials to LDAP directory for authentication.
5. If successful the Web Agent writes an encrypted cookie onto the user’s browser, which will identify the user to the web agent for subsequent requests.
6. The Web Agent then queries the Policy Server to determine authorizations for the requested resource.
Hi,
We installed Pega 7.1.9. We would to configure custom authentication with Oracle Access Manager as Service Provider per paragraph below (this is from the authentication overview of Pega e-learning). Is there anyone familiar with this process/configuration can help us? We plan to move Pega to QA and production soon. High level steps would be nice as well.
Thanks
BB
Web Access Management
Let’s look at a typical Web Access Management implementation with PRPC sing CA SiteMinder. The same general mechanism applies to all offâtheâshelf Web Access Management solutions.
1. User Requests a protected resource – For example:
http://www.mycorp.com/PRExtAuthServlet
2. Web Agent examines request and queries Policy Server to determine if PRExtAuthServlet is a protected resource. If so, Web Agent checks wether or not the user has been authenticated.
3. If they have not been, the user is presented with the login form.
4. The Policy Server passes the credentials to LDAP directory for authentication.
5. If successful the Web Agent writes an encrypted cookie onto the user’s browser, which will identify the user to the web agent for subsequent requests.
6. The Web Agent then queries the Policy Server to determine authorizations for the requested resource.
7. The policies mandate that to access /PRExtAuthServlet/* the user must belong to the group PRPC_User or PRPC_WorkMgr (hypothetical)
8. The Policy Server queries the directory to determine if the user is in one of the appropriate groups
9. If so, the web agent caches the authorization and allows the request to pass through to the reverse proxy, appending customized http header variables containing the user ID, group name and other information about the user. The Reverse Proxy routes the request to the appropriate application server.
10. The PRPC application generates the page and responds to the request.
11. If needed, the PRPC application polls the LDAP Directory for additional user information
Accepted Solution
Pegasystems Inc.
US
Hi Bio,
Since Oracle Access Manager is acting like a reverse proxy then what you have put above is correct.
It's not to complicated to configure PRPC for PRCustom style SSO implementation with products like Oracle Access Manager, Siteminder and WebSEAL. These products are handing the access to the protected resource, in this case PRPC, and we simply receive HTTP headers related to who the users is.
https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
Chapter 7 contains good detail on how PRCustom authentication works. (This is older documentation but PRCustom authentication has not changed since then. You DO NOT need a SSO Driver servlet if you see it mentioned in the document, that is simply not needed since PRPC 5.4)
I have working samples of both Sitminder and WebSEAL. It will be the same thing for Oracle Access Manager and I have implemented with it before. I can do a quick 30 minute WebEx session when you are free and I will get you started on implementing this. Send me a Mesh PM when you have time. When done we will take a screen shot of your login activity and post it here for others.
--Chris
Pegasystems Inc.
US
Have you considered using OOTB SAML/WebSSO? I am not aware of any step-by-step for Oracle Access manager but with SiteMinder (procedure is similar), we have a runbook: https://docs-previous.pega.com/ca-single-sign-federation-runbook
FDIC
US
Hi Kevin,
Thanks for the documentation and quick reply. The doc is shown instructions to configure Pega as a SP (Service Provider). We currently have OAM (Oracle Access Manager) serves as a Service Provider per outlines below (especially we would like to know how we configure per step 9, 10)
Thanks for your help
Boi
Web Access Management
Let’s look at a typical Web Access Management implementation with PRPC sing CA SiteMinder. The same general mechanism applies to all offâtheâshelf Web Access Management solutions.
1. User Requests a protected resource – For example:
http://www.mycorp.com/PRExtAuthServlet
2. Web Agent examines request and queries Policy Server to determine if PRExtAuthServlet is a protected resource. If so, Web Agent checks wether or not the user has been authenticated.
3. If they have not been, the user is presented with the login form.
4. The Policy Server passes the credentials to LDAP directory for authentication.
5. If successful the Web Agent writes an encrypted cookie onto the user’s browser, which will identify the user to the web agent for subsequent requests.
6. The Web Agent then queries the Policy Server to determine authorizations for the requested resource.
7. The policies mandate that to access /PRExtAuthServlet/* the user must belong to the group PRPC_User or PRPC_WorkMgr (hypothetical)
Hi Kevin,
Thanks for the documentation and quick reply. The doc is shown instructions to configure Pega as a SP (Service Provider). We currently have OAM (Oracle Access Manager) serves as a Service Provider per outlines below (especially we would like to know how we configure per step 9, 10)
Thanks for your help
Boi
Web Access Management
Let’s look at a typical Web Access Management implementation with PRPC sing CA SiteMinder. The same general mechanism applies to all offâtheâshelf Web Access Management solutions.
1. User Requests a protected resource – For example:
http://www.mycorp.com/PRExtAuthServlet
2. Web Agent examines request and queries Policy Server to determine if PRExtAuthServlet is a protected resource. If so, Web Agent checks wether or not the user has been authenticated.
3. If they have not been, the user is presented with the login form.
4. The Policy Server passes the credentials to LDAP directory for authentication.
5. If successful the Web Agent writes an encrypted cookie onto the user’s browser, which will identify the user to the web agent for subsequent requests.
6. The Web Agent then queries the Policy Server to determine authorizations for the requested resource.
7. The policies mandate that to access /PRExtAuthServlet/* the user must belong to the group PRPC_User or PRPC_WorkMgr (hypothetical)
8. The Policy Server queries the directory to determine if the user is in one of the appropriate groups
9. If so, the web agent caches the authorization and allows the request to pass through to the reverse proxy, appending customized http header variables containing the user ID, group name and other information about the user. The Reverse Proxy routes the request to the appropriate application server.
10. The PRPC application generates the page and responds to the request.
11. If needed, the PRPC application polls the LDAP Directory for additional user information
Pegasystems Inc.
US
I see, you are configuring your own PRCustom. Check this: https://pdn.pega.com/how-configure-reverse-proxy-server
FDIC
US
Hi Kevin,
Thanks for your response. Please confirm if it is correct.
The flow of PRCustom for authentication is as follow…
· User access Pega resources URL (proxy server) – step 1 of Web Access Management
· User authentication – step 2 to step 8 of Web Access Management
· Step 9 – Proxy server will set the following value in http header (using the Approach A: Proxy server sets context – How to configure a reverse proxy server)
o PegaRULES-SetContextURI: http://revproxy/AcmeCorp/
o Host: pegaserver:8080
o pyUserIdentifier: userID
o pyAccessGroup*: PegaProcessGroup
o pyWorkGroup* : PegaWorkgroup
Please confirm. If there is an example, that would be excellent!
Thanks
BB
Pegasystems Inc.
US
Chris Koyl, please take a look and provide your comment here. If this requires more details to go through, create a SR to track the effort.
Accepted Solution
Pegasystems Inc.
US
Hi Bio,
Since Oracle Access Manager is acting like a reverse proxy then what you have put above is correct.
It's not to complicated to configure PRPC for PRCustom style SSO implementation with products like Oracle Access Manager, Siteminder and WebSEAL. These products are handing the access to the protected resource, in this case PRPC, and we simply receive HTTP headers related to who the users is.
https://pdn.pega.com/documents/authentication-pegarules-process-commander-v53
Chapter 7 contains good detail on how PRCustom authentication works. (This is older documentation but PRCustom authentication has not changed since then. You DO NOT need a SSO Driver servlet if you see it mentioned in the document, that is simply not needed since PRPC 5.4)
I have working samples of both Sitminder and WebSEAL. It will be the same thing for Oracle Access Manager and I have implemented with it before. I can do a quick 30 minute WebEx session when you are free and I will get you started on implementing this. Send me a Mesh PM when you have time. When done we will take a screen shot of your login activity and post it here for others.
--Chris