Question
ASB
NZ
Last activity: 28 Sep 2022 7:08 EDT
SSO integration with Azure AD for PDM
Hi,
I am implementing SSO for Pega deployment manager 5.4 with Azure AD. Pega is creating new operators using model operator and assigns access group of it. Instead of assigning model operator's access group I want to assign access group passed in SAML response. I have 2 questions here,
1. How can we add access groups and applications in Azure AD?
2. How can we map access group?
Thank you
ASB
NZ
@VinodBavandla Any suggestions or replies would be appreciated.
Thanks
Accenture
AU
@VinodB053 I dont believe adding a access group to an operator should be different for PDM. Traditionally, either AD send identifier, for which there is an internal mapping to the access group. And that access group should be added at the time of operator creation page. If AD is sending AG directly, then u can map the same to the pyAccessGroup property on the operator page before saving the page. Let me know, if more clarification is needed.
Rabobank
NL
@VinodBavandla SAML will provide ADFS identifier or application authorisation functional role that would be specific to your application. And based on these identifier or functional role, you can create a matrix in PDM to give the access group based on these role. You have to map all the identifier or functional role coming in SAML authentication rule.
Defining accessgroup in ADFS is not recommended as accessgroup is specific to Pega application and may be changed during the lifecycle of the application. But application identifiers or functional role never change and always be static.