Question
Pega Federated SP server for SAML SSO
Landscape
We are running a Pega platform which is hosting pega instances for multiple projects. The load balancer is common for the platform but the pega instances are separate for each of the project (i.e. Each of the project will have its own Pega Database)
Problem Statement
SSO setup has to be done separately for each of the projects on the platform though the IDP and the set of attributes returned as part of the SAML response are same. So, we are planning to do a single integration between the IDP and the Pega Platform
Design Approach
Setup a dedicated Pega instance for the platform which will potentially host the ACS endpoints acting as router of the SAML Response
These ACS endpoints will receive the SAML Response from the IDP & route them to the respective tenant of the Pega platform
The tenant will then validate the SAML token and finally authenticates the user
Though the above solution theoretically works but becomes a single point of failure (considering the huge customer base that the ACS has to handle as part of the login flow in a dozen of pega applications)
Also this violates the Pega's OOTB SSO design of having the ACS in the same instance of the SP
Any thoughts on this solution would be highly appreciated.
Hi,
I don't think you can setup the ACS this way.
When using Service Provider initiated requests we are creating a database record that is pointed to by the RelayState parameter that we send to the IDP. The record contains the underlying RelayState URL and the ACS opens the record and uses that URL to post the SAMLResponse to for final authentication.
The URL that is stored in this record is not a static URL. It's the URL used in the initial request by the user. So this could contain a SnapSart URL, the initial Mashup URL, etc.
I also don't think you are gaining much with a design like this.
Are you trying to avoid having a separate relationships at the IDP for each environment? So you would use the SAML SP Entity Identification in each SAML AuthService defined in each of the environments? That breaks the concept of Service Provider and IDP circle of trust which is really what is configured at IDP level and SP level with meta data exchange and configuration.
Hope these thoughts are useful,
--Chris