It sounds like user is trying to access Pega mashup before user is authenticated against the parent application. probably you want to consider hiding the pega link until the user is authenticated in parent application. once user is authenticated in parent applicaiton, then launch Pega mash up with all the required parameters for the authentication at pega side. this is most common use case for pega mash up.
Many thanks for your response! You are right in what you describe, but we should first attempt to access Pega, if there is no active session, then redirect to the external credentials screen, which will redirect back to Pega upon successful auth.