Is it possible to disable the default login so that users created with applications and the standard pega users (i.e email@example.com) can't login?
I have a safety mechanism for automatically configuring LDAP via CLI which doesn't use the administrator account (to the best of my knowledge) so if a malicious actor gained control/a mistake was made then I can always re-apply the LDAP credentials, organizational unit and model user (firstname.lastname@example.org) so that they can manually reconfigure everything again.
I understand that you can do this but this requires both manual effort and can potentially miss a default operator. Furthermore, when a new application is created four new users are created which would create a security issue until someone checked the "use external authentication" for each of the users which will probably be missed at some point in time.
I have also been advised by the SR contact that the question should be answered via the community instead of the SR ticket. There is also an option to add an SR ticket to the community question which, at least in my mind, provides logical assumption that you can ask both since they can be tied together (so long as the ticket is raised before the community question).
I have also notified our account representative with both the community posts and the SR tickets for this (as well as other issues) in a single email and they did not notify us that we should not take that approach.
How do you think I should proceed since I have multiple tickets/questions in the community which are several days old which have not been answered yet?
You can modify web-login HTML rule to only display the login page for specific servlet(s) user want to use, else display access denied message. Simple when condition based on pxRequsetor.pxReqServletNameReal and also need to set the operators to external only to prevent URL level access for those users.
I would assume that this wouldn't disable the login as the users can still login via the default url if they don't have "external authentication" checked which masks disabling the default authentication. Thank you for trying to assist though!
Yes, by selecting the external authentications users will not be able to login with default prpcbasic authentication and they will be only able to login with the external authentication configured for such users.
This doesn't fulfill the requirement of disabling the default authentication as it doesn't actually disable the default authentication. All it does is force specific, in your suggestion all users, to use an external authentication for which there is none. However, if a user then unchecks this, creates a new application within Designer Studio or creates a new user without checking the flag then they can authenticate using the default Pega login which the service management team, using your example steps, would think is impossible to do.
To disable few operators, you can use Operator Access landing page (Designer Studio --> Org & Security --> Authentication -->Operator access) and disable selected operators. Regarding default operators that get created with new application, we can optionally skip the creation of default operators from Advanced configuration.
I have previously responded in this question to the first part of your response r.e. manually disabling which I have included below.
You can optionally skip this and if this occurs it will create a security hole in the implementation since everyone knows the default passwords for all users.
Previous response: I understand that you can do this but this requires both manual effort and can potentially miss a default operator. Furthermore, when a new application is created four new users are created which would create a security issue until someone checked the "use external authentication" for each of the users which will probably be missed at some point in time.
If it is to be done post installation, AFAIK it has to be done manually. But for fresh installations , you can use secure mode installation to deactivate all pega supplied operators except "email@example.com". To activate those operators post installation, you can use Operator Access landing page (DesignerStudio --> Org & Security --> Authentication -->Operator access).
For new applications, you can skip creation of default operators.