Skip to main content

Authentication services

Suggest edit Updated on June 30, 2021

To override or extend the default authentication process, create, and configure an authentication service.

You can configure your application to authenticate users by using single sign-on (SSO) and external identity providers. Create an authentication service to configure Pega Platform with one of the following authentication methods:

Authentication types and protocols available in Pega Platform

Authentication typeProtocol
SAML 2.0An external identity provider that supports the SAML 2.0 protocol, such as Microsoft Active Directory.

For more information, see Web single sign-on (SSO) with SAML 2.0.

OpenID ConnectAn external identity provider that supports the OpenID Connect (OIDC) protocol.
Basic CredentialsA user ID and password that are stored in the Pega Platform database or in another internal or external data source.
Token CredentialsA token that is validated by an external identity provider or by the OAuth 2.0 authorization layer in Pega Platform (often used in offline mobile applications).
AnonymousSupports activity by guest users, who are prompted to authenticate themselves partway through a session.

For example, an unauthenticated user can add items to a shopping cart, and enter credentials when they check out.

CustomUses none of the above meets your requirements or meets your use case, you can write your own logic to challenge users for credentials and to validate the credentials. For example, using a Lightweight Directory Access Protocol (LDAP)-compliant directory server.
KerberosA computer-network authentication protocol that is based on tickets that can be securely presented by a client or a service on the client's behalf to a server for access to services.

Default configuration

By default, your system includes a basic authentication service named Platform Authentication. You can save this service with a new name and change it, and you can create any type of authentication service, including the basic type.

Note: As a best practice, ensure that authentication services do not share the same alias. Rename any duplicate authentication service aliases before upgrading to Pega 8.6 or later.

The default servlet, PRAuth, provides a unified authentication gateway so that you do not need to edit prweb.xml or restart the server for new authentication services.

For more information on URL patterns and servlet names, see Application URL patterns for various authentication service types.

Multi-tenancy

When using multi-tenancy, shared users will not be present, so you must complete the following actions:

  • In the navigation pane of Dev Studio, click RecordsSysAdminAuthentication Service.
  • Select the Authentication service that you want to add multi-tenancy.
    • Select the Authentication service record, of the selected Authentication service.
    • Under the Operator identification tab, change the Model operator to the tenant username.
  • Create an operator identical to the tenant username in the model operator.
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us