Posted: 10 Oct 2020 16:26 EDT Last activity: 19 Nov 2020 0:06 EST
SAML 2.0 Pega API REST Services
How do we implement SAML 2.0 Authentication on Pega API (to run the REST services) since we only have three Authentication Types under Service Package: api(Basic, Custom, OAuth)?
The Operator already has PegaRULES:PegaAPI as part of their role on the default Access Group and the REST API(s) seem to work fine with Basic Authentication. The Operator has also been updated to enable the option 'Use External Authentication' and the user is able to login to the Developer Portal with the SAML 2.0 auth. Putting the SAML 2.0 Auth Service under the 'Custom' Authentication Type in the Service Package: api didn't work with the REST API(s) either and the SAML Tracer showed no indication that the SAML request was ever made.
I have seen that PEGA itself mentioned that SSO works only with Web. Some one from PEGA expertise team has to comment on this , when we refer the same authentication service from service package , will it work or not.
Configure this SAML authentication service to enable web Single Sign-On (SSO) for your application.
I am exploring things on this. i will let you know if get to know anything.
SAML SSO authentication will work wtih REST API. I did the same in 8.3 and was working fine. Select the authentication type as Custom and give the SAML auth service rule. It should save without any errors. Change the processing mode from Stateless to Statefull. It will work. But the same is not working after upgrading to 8.5.1 version. In latest version, Pega expecting a authentication activity for Cutom type authenticaiton. Seems like something changed from Pega end in new version.
SAML 2.0 is vastly used for web SSO primarily aimed at user authentication. REST API on other hand is a async way of accessing application functionality via various channels like web, mobile apps, IoT etc that involves both user and API consumer verification. So OAuth 2.0 is the industry recommended standard to use.
To hook up any existing SAML SSO implementation, look into OAuth 2.0 with SAMLBearer grant type. This allows exchange of a SAML 2.0 token for an oauth access token that can be used to access the REST API.