Create an Open ID Connect (OIDC) SSO authentication service so that users can
authenticate using an OIDC identity provider.
Before you begin: To create an authentication service, you must have the
pzCanCreateAuthService privilege, which is included in the
PegaRULES:SecurityAdministrator role.
Before you create an OIDC
authentication service, you must register with the identity provider and obtain a
client ID and a client secret. You do this outside of Pega Platform.
-
In the navigation pane of App Studio, click .
-
Click New, and then click OpenID
Connect.
-
Enter a Name for the service.
Result: The value that you enter is used to populate the Login
URL field. Users access this URL to log in to your application.
-
Click Import metadata to import metadata from your
identity provider.
- To select a URL where the metadata is stored, select via
URL, enter a URL, and click
Submit.
- To select a file where the metadata is stored, select via
file, enter a file name, and click
Submit.
-
In the Client ID and Client
secret fields, enter the values that were assigned by your
identity provider.
-
In the Map operator ID from claim field, enter the
attribute name from the claim that is mapped to the Pega Platform operator ID. Enclose the attribute name in curly
braces, for example, {name}.
- Optional:
To automatically create an operator when the operator who is logging in does
not already exist in the Pega database, do the following steps.
-
Select the Create operators for new users check
box.
-
In the Access role list, click the access role
for the new user.
-
Copy the redirect URL that is displayed under Configure your
IdP.
To complete SSO configuration, you must register Pega Platform as a client (relying party) with your identity
provider, using the redirect URI that you copy.
-
Click Submit.
- Optional:
To configure advanced functionality, on the Single sign-on
(SSO) landing page, where the new service is listed, click the
More icon and then click Open in Dev Studio.
Result: The authentication service opens in Dev Studio. For
more information, refer to the help in Dev Studio.
-
To enable the authentication service, on the Single sign-on
(SSO) landing page, where the new service is listed, turn on the
switch.