Scott Foster (FOSTS)
Senior System Architect
FOSTS Member since 2008 3 posts
Posted: July 14, 2020
Last activity: June 2, 2021
Posted: 14 Jul 2020 2:33 EDT
Last activity: 2 Jun 2021 23:37 EDT

Authentication Service -- Tips and Tricks

Below is what I've learnt about the Authentication Service rule.  I have used it in Pega 8.1. and Pega 8.4.

Anyone have any tips on how to map Workgroup lists, with a dynamic number of instances?  I know a hacky way to workaround the limitation of having no pagelist mapping, on the Mapping tab, and I've also use a Post-Authentication Activity.

  1. TIP: Use 'Global Resource Settings' (GRS) -- e.g. a Data Page populated by Dynamic System Setting values -- for the IDP and SP settings.  Ensure that Data Page used for GRS is accessible to the WebSSO Service Package’s Access Group
  2. TIP: Populate a Data Page with the data to map to the Operator, and use the Mapping tab (for text and value list mapping)
  3. TIP: If the Data Page used for mapping needs access to the operator’s original Operator ID record:
    • Use the Mapping tab to populate a Clipboard page, of type Data-Admin-Operator-ID, e.g. “SSOOperator”, with the User ID (e.g. the token  containing this)
    • In the Data Page load: Set ‘SSOOperator’ to the Operator ID record, i.e. a Data Page with a lookup on the passed User ID parameter
  4. TIP: To force the authentication process to fail, without creating an Operator ID record, select ‘Attribute or Datapage reference’ for the Operator identification, and have the Data Page logic only set its reference property (which is mapped to OperatorID.pyUserIdentifier) only when the user has been validated by the IDP
  5. The pre-authentication Activity only has access to the unauthenticated Requestor page, so it has some information (such as whether a mobile device is being used) but at this point the user is unknown
  6. The ‘enable operator provisioning using model operator’ option:
    • Only takes effect if the Operator doesn’t exist
    • If ‘by name’: will interpret the configured ‘Model operator’ field as a token unless entered in double-quotes
  7. The Pre-authentication Activity runs in the context of the BROWSER Requestor, and the Post-authentication Activity runs in the context of the Access Group of the operator
  8. It is possible to update the current operator’s Data-Admin-Operator-ID record, in the Post-authentication Activity, but only if the operator’s Access Group has permission to do so.
  9. Post-Auth Activity will not run if operator’s Operator ID record has pyOperatorIsDeactivated set to true
  10. The Mapping tab will only map from Text and Value list type properties
  11. The Post-Auth Activity can update the Operator ID record with an Obj-Save (if it has authorisation) and has to use Write Now option
  12.  Both the Pre- and Post- authentication Activity rules – if they are configured on the Auth Service at all – must execute the following otherwise the authentication will fail:


Pega Platform Security Lead System Architect Developer Knowledge Share