Question

3
Replies
40
Views
Anthony_Gourtay Member since 2017 10 posts
Altran
Posted: May 19, 2020
Last activity: September 17, 2020

SSO & local users password policy

Hello,

We're working with PEGA 7.3.1.

in our systems, we've got several kind of users/operators

- regular operators, people connecting to the application via SSO (external auth)

- some admin users, with local record & password for connecting to the required node

- some technical operators for the application itself not used by human

There's today no password policy, we handle this ourselves.

We're studying possibilty of using/enabling "Security Policy" but

- what would be the impact on the operators using SSO with no access to password part

- Is there a way to exclude some operators from this password policy and/or to apply it to a certain template of operator based on the name

I know I could just apply and see the results but I would also like to avoid fully blocking the application with the first test :-)

Thank you

Anthony

***Edited by Moderator: Pallavi to update platform capability tags***  

Pega Platform 7.3.1 System Administration Security
Close popover
Posted: 6 months ago

Let me add few details:

- for direct connection we use PRServlet

- for SSO connection it's a specific custom servlet and specific activity behind

I can see in Security Policy "Exclusion list of operator IDs" but it seems linked to "Operator disablement policy" only

Thanks

Anthony

Posted: 6 months ago

Hi Anthony,

 

You are right "Exclusion list of operator IDs" is linked to "Operator disablement policy" only.

 

However coming to your original query - the security policies only apply for Basic (Pega authentication) coming from /prweb/PRServlet context. Not applicable for custom auth like SSO/LDAP.

 

On the latest versions, there are capabilities to enforce few policy types based on authentication service. 

 

Let me know if that clarifies!

Posted: 2 months ago

Hello,

Sorry for not having updated you, I never saw the notification for your reply.

So

- any customized SSO will never use by default this Security Policy - Security policy will apply only for default login via PRServlet

Last. We've got a technical operator with its own password, just used internally for the processing, file listener authentication for example or our Application Agents Processing.

We never log with it into the application.  Is this Security Policy used internally also for such users or only at login time?

Thank you

Regards

Anthony  
Share this page LinkedIn
Copied!