Below is what I've learnt about the Authentication Service rule. I have used it in Pega 8.1. and Pega 8.4.
Anyone have any tips on how to map Workgroup lists, with a dynamic number of instances? I know a hacky way to workaround the limitation of having no pagelist mapping, on the Mapping tab, and I've also use a Post-Authentication Activity.
TIP: Use 'Global Resource Settings' (GRS) -- e.g. a Data Page populated by Dynamic System Setting values -- for the IDP and SP settings. Ensure that Data Page used for GRS is accessible to the WebSSO Service Package’s Access Group
TIP: Populate a Data Page with the data to map to the Operator, and use the Mapping tab (for text and value list mapping)
TIP: If the Data Page used for mapping needs access to the operator’s original Operator ID record:
Use the Mapping tab to populate a Clipboard page, of type Data-Admin-Operator-ID, e.g. “SSOOperator”, with the User ID (e.g. the tokencontaining this)
In the Data Page load: Set ‘SSOOperator’ to the Operator ID record, i.e. a Data Page with a lookup on the passed User ID parameter
TIP: To force the authentication process to fail, without creating an Operator ID record, select ‘Attribute or Datapage reference’ for the Operator identification, and have the Data Page logic only set its reference property (which is mapped to OperatorID.pyUserIdentifier) only when the user has been validated by the IDP
The pre-authentication Activity only has access to the unauthenticated Requestor page, so it has some information (such as whether a mobile device is being used) but at this point the user is unknown
The ‘enable operator provisioning using model operator’ option:
Only takes effect if the Operator doesn’t exist
If ‘by name’: will interpret the configured ‘Model operator’ field as a token unless entered in double-quotes
The Pre-authentication Activity runs in the context of the BROWSER Requestor, and the Post-authentication Activity runs in the context of the Access Group of the operator
It is possible to update the current operator’s Data-Admin-Operator-ID record, in the Post-authentication Activity, but only if the operator’s Access Group has permission to do so.
Post-Auth Activity will not run if operator’s Operator ID record has pyOperatorIsDeactivated set to true
The Mapping tab will only map from Text and Value list type properties
The Post-Auth Activity can update the Operator ID record with an Obj-Save (if it has authorisation) and has to use Write Now option
Both the Pre- and Post- authentication Activity rules – if they are configured on the Auth Service at all – must execute the following otherwise the authentication will fail: