Skip to main content
Contact a Moderator

Question

3
Replies
67
Views
 Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE
Anthony_Gourtay Member since 2017 16 posts
Capgemini Engineering
Posted: May 19, 2020
Last activity: September 17, 2020
Posted: 19 May 2020 5:28 EDT
Last activity: 17 Sep 2020 3:20 EDT
Closed

SSO & local users password policy

Hello,

We're working with PEGA 7.3.1.

in our systems, we've got several kind of users/operators

- regular operators, people connecting to the application via SSO (external auth)

- some admin users, with local record & password for connecting to the required node

- some technical operators for the application itself not used by human

There's today no password policy, we handle this ourselves.

We're studying possibilty of using/enabling "Security Policy" but

- what would be the impact on the operators using SSO with no access to password part

- Is there a way to exclude some operators from this password policy and/or to apply it to a certain template of operator based on the name

I know I could just apply and see the results but I would also like to avoid fully blocking the application with the first test :-)

Thank you

Anthony

***Edited by Moderator: Pallavi to update platform capability tags***  

Pega Platform 7.3.1 System Administration Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 1 year ago
Posted: 19 May 2020 6:35 EDT
Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE

Let me add few details:

- for direct connection we use PRServlet

- for SSO connection it's a specific custom servlet and specific activity behind

I can see in Security Policy "Exclusion list of operator IDs" but it seems linked to "Operator disablement policy" only

Thanks

Anthony
Posted: 1 year ago
Posted: 20 May 2020 13:34 EDT
Harish Gunneri (Harish_Gunneri)
PEGA
Senior Software Solutions Engineer
Pegasystems Inc.
US

Hi Anthony,

 

You are right "Exclusion list of operator IDs" is linked to "Operator disablement policy" only.

 

However coming to your original query - the security policies only apply for Basic (Pega authentication) coming from /prweb/PRServlet context. Not applicable for custom auth like SSO/LDAP.

 

On the latest versions, there are capabilities to enforce few policy types based on authentication service. 

 

Let me know if that clarifies!
Posted: 1 year ago
Posted: 17 Sep 2020 3:20 EDT
Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE

Hello,

Sorry for not having updated you, I never saw the notification for your reply.

So

- any customized SSO will never use by default this Security Policy - Security policy will apply only for default login via PRServlet

Last. We've got a technical operator with its own password, just used internally for the processing, file listener authentication for example or our Application Agents Processing.

We never log with it into the application.  Is this Security Policy used internally also for such users or only at login time?

Thank you

Regards

Anthony  

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice