This presentation is part of the Authentication Overview Self-Study Course.

Transcript

There is an excellent 100+ page tech note on the PDN titled Authentication in PegaRULES Process Commander.  This tech note describes five different ways for authentication in a PegaRULES-based application.

In a native PRPC solution, internal authentication is accomplished using plain text or via secure socket layer.  This option is rarely used in a production environment.  Why not?  Because it would require maintaining the PRPC security database separately, and to keep the PRPC Operator ID’s and passwords in sync as they are added, deleted, and changed in the corporate security repository.

In a Web Access Managementsolution, PegaRULES is deployed as a web application and accessed via an Internet browser.  The URL of the PRPC Servlet can be protected using any off-the-shelf Web Access Management solution such as Tivoli Access Manager or CA eTrust SiteMinder.

In a Container-managed solution, PRPC runs inside the servlet container of commercial application servers such as IBM WebSphere or BEA WebLogic.  IBM and BEA have implemented their own specific version of the Java Authentication and Authorization Service (JAAS) standard to provide container-managed security.  PRPC applications can easily “piggy back” on this form of security.

In a custom corporate solution, corporations may have developed their own centralized Sign-In application that provides a unified way to authenticate with a corporate LDAP directory.  Such a sign-in application also typically implements corporate password policies by enforcing password strengths and password expiration, and provides a way to reset the password in case a user has forgotten it.

The last three options are used in one form or the other and will be discussed in more detail.