Question

3
Replies
61
Views
 Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE
Anthony_Gourtay Member since 2017 16 posts
Capgemini Engineering
Posted: May 19, 2020
Last activity: September 17, 2020
Posted: 19 May 2020 5:28 EDT
Last activity: 17 Sep 2020 3:20 EDT

SSO & local users password policy

Report

Hello,

We're working with PEGA 7.3.1.

in our systems, we've got several kind of users/operators

- regular operators, people connecting to the application via SSO (external auth)

- some admin users, with local record & password for connecting to the required node

- some technical operators for the application itself not used by human

There's today no password policy, we handle this ourselves.

We're studying possibilty of using/enabling "Security Policy" but

- what would be the impact on the operators using SSO with no access to password part

- Is there a way to exclude some operators from this password policy and/or to apply it to a certain template of operator based on the name

I know I could just apply and see the results but I would also like to avoid fully blocking the application with the first test :-)

Thank you

Anthony

***Edited by Moderator: Pallavi to update platform capability tags***  

Pega Platform 7.3.1 System Administration Security
Reply
Posted: 1 year ago
Posted: 19 May 2020 6:35 EDT
Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE
Report

Let me add few details:

- for direct connection we use PRServlet

- for SSO connection it's a specific custom servlet and specific activity behind

I can see in Security Policy "Exclusion list of operator IDs" but it seems linked to "Operator disablement policy" only

Thanks

Anthony

Reply
Posted: 1 year ago
Posted: 20 May 2020 13:34 EDT
Harish Gunneri (Harish_GCS)
PEGA
Senior Software Solutions Engineer
Pegasystems Inc.
US
Report

Hi Anthony,

 

You are right "Exclusion list of operator IDs" is linked to "Operator disablement policy" only.

 

However coming to your original query - the security policies only apply for Basic (Pega authentication) coming from /prweb/PRServlet context. Not applicable for custom auth like SSO/LDAP.

 

On the latest versions, there are capabilities to enforce few policy types based on authentication service. 

 

Let me know if that clarifies!

Reply
Posted: 10 months ago
Posted: 17 Sep 2020 3:20 EDT
Anthony Gourtay (Anthony_Gourtay)
Capgemini Engineering
Business Application Expert
Capgemini Engineering
BE
Report

Hello,

Sorry for not having updated you, I never saw the notification for your reply.

So

- any customized SSO will never use by default this Security Policy - Security policy will apply only for default login via PRServlet

Last. We've got a technical operator with its own password, just used internally for the processing, file listener authentication for example or our Application Agents Processing.

We never log with it into the application.  Is this Security Policy used internally also for such users or only at login time?

Thank you

Regards

Anthony  

Reply