Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Sayak Bhattacharjee (SayakB)
UBS
Architect
UBS
IN
SayakB Member since 2010 14 posts
UBS
Posted: Nov 23, 2022
Last activity: Nov 28, 2022
Posted: 23 Nov 2022 2:16 EST
Last activity: 28 Nov 2022 3:51 EST
Closed

Dynamically assign Access group

I am using an authe service rule to establish SAML based SSO authentication. I provision user through a model operator. In ApplicationProfileSetUp extension point I call a service to obtain the user roles. Based on the user roles I need to decide whether I should show developer portal or  user portal.

What I am doing now:

In model operator I have added 2 access groups -  one as MyApp:Developers and the other as  MyApp:Users. Once I get the user roles by calling the service I do the below 2 steps in sequence 

  1. Call OOTB activity RedirectAndRun and pass Access group Parameter as MyApp:Users (beased on detected roles)
  2. Inject roles dynamically by calling OOTB API tools.getAuthorizationHandle().setRoles(tools, PRAuthorization.UPDATE_APPEND, tools.getStepPage().getProperty(".ListOfRoles"))

Problem Facing:

Access group is righly switched, but the roles are not getting added. If I stop call RedirectAndRun then roles are rightly added in the user profile.

What I need:

Both should work - Launching of the session with correct AG and poper allocation of roles.

Please Note : Since my application is hosted on tomcat cant use EstablishOperator (as that is for container managerd apps) 

Thanks for any lead

Sayak


***Edited by Moderator Marije to add Capability tags***
To see attachments, please log in.
Pega Platform 8.7.1
Security
Installation and Deployment
System Administration
Financial Services
Lead System Architect

Posted: 1 year ago
Posted: 23 Nov 2022 5:10 EST
Srinidhi Mrithyunjayan (mrits1)
PEGA
Lead System Architect
Pegasystems Inc.
IN

@SayakB Hi Sayak, Instead of having a single model operator you can have two model operators one for users and another for developers and based on the roles/condition that you have you can set the model operator. You can do these logic in the Data page and give that data page in the model operator fields as shown below

sso

in addition you can also use a data transform, you can check the below link on how to configure the data transform

https://docs-previous.pega.com/security/85/configuring-operator-provisioning-saml-sso-authentication-service

To see attachments, please log in.
Posted: 1 year ago
Posted: 25 Nov 2022 9:31 EST
Sayak Bhattacharjee (SayakB)
UBS
Architect
UBS
IN

@SrinidhiMHi Srinidhi, Thanks for your response. I found my question lacks clarity. I mentioned that access group switching will be done based on user role. And this user roles are pulled through a SOAP call. This logic of calling the external application through SOAP is performed in ApplicationProfileSetup. There I have already ran out of the context of the authentication service rule.

To call this service I need to enrich the retrive details from atleast 4 other application. From architectural clarity did not want to call all the services in the auth service rule context as the auth servcice is specific to authentication and all these peripheral services that I am talking about are nneded to establish the authorization profile of the user.

So, in short I am looking for a mechanism that allows me to change the acces group from ApplicationProfileSetup 

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice