Skip to main content

Configuring OpenID Connect authentication using App Studio

3 Tasks

1 hr

Pega Platform '24.2
Visible to: All users
Advanced
Pega Platform '24.2
English

Scenario

MDC is considering using OpenID Connect to authenticate operators. As a Lead System Architect, your task is to design and implement an OpenID Connect authentication as a proof of concept.

Pega Platform™ supports single sign-on (SSO) with OpenID Connect. You can use Gmail, Facebook, or any other OpenID Connect identity providers to log in to the Pega Platform application.

There are many identity providers (IdPs) that are available in the marketplace; some are free services while others charge per user. Before MDC decides on an identity provider, they ask you to develop a proof of concept with Okta as the IdP. Okta is a leading IdP that offers secure and scalable identity management solutions. When integrated with Pega Platform for business process management and customer engagement, Okta provides seamless authentication and authorization services. This integration enhances security by enabling SSO for Pega applications.

The following table provides the credentials you need to complete the challenge:

Role User name Password
Admin admin@deliveryservice rules

Before you begin:

  1. Register on the Okta developer site.
  2. On the Okta developer homepage, click Sign up, and then click Sign up free for Developer Edition.
    Note: It is free to test, explore, and manage integrations.
  3. Create an Okta Developer Edition Service account.
  4. Complete the sign-up process.

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Configure Okta as the identity provider

  1. Log in to the Okta Admin Console.
  2. In the navigation pane, click Applications > Applications, and then click Create App Integration.
The Okta navigation pane.
  1. On the Create a new app integration landing page, in the Sing-in method section, select OIDC – OpenID Connect.
  2. In the Application Type section, select Web Application.
    Create a new app integration.
  3. Next.
  4. Complete the General Settings section:
    1. In the App integration name field, enter MDC Web App.
    2. In the Grant type section, select the following checkboxes:  
      • Client Credential
      • Authorization Code
      • Refresh Token
        General settings.
  5. In the Assignments section, configure the access control options:
    1. In the Controlled access section, select Allow everyone in your organization to access.
    2. In the Enable immediate access (Recommended) section, clear the Enable immediate access with Federation Broker Mode checkbox.
    3. Click Save.
      Assignments.
  6. In the navigation pane, click Directory > People, and then click Add person.
    Add person.
  7. In the Add person dialog box, configure the user details:
    1. In the User type list, select User
    2. In the First name field, enter MDC
    3. In the Last name filed, enter POC
    4. In the Username field, enter [email protected]
    5. In the Primary email filed, enter [email protected].
    6. Leave the Groups (optional) field empty.
    7. In the Activation list, select Activate now.
      Add person dialog box.
      Note: You can either set a password for the user or allow Okta to generate a temporary password. If you choose to set the password, you can do so in the provided fields.
  8.  In the navigation pane, click Applications > Applications, and then open the MDC Web App that you created.  
  9. On the Assignments tab, click Assign to select the users or groups who should have access to the MDC Web App application.
    Assign to people.

2 Create the new SSO in App Studio

  1. In the Pega Platform instance for the challenge, enter the following credentials:
    1. In the User name field, enter admin@deliveryservice.
    2. In the Password field, enter rules.
  2. In the header of Dev Studio, click Dev Studio > App Studio.
  3. In the navigation pane of App Studio, click Users.
  4. Click Authentication[COE Review: The figure is confusing with the callout around App Studio because they are now two steps beyond that action. I think you can remove the screenshot altogether because, at this point, learners on the LSA track should know how to navigate in App Studio by now.]
    Authentication in App Studio.
  5. Click Add authentication service, and then, in the list, select Create new > OIDC.
  6. In the Name field, enter OpenIDPOC.
  7. In the Create new single sign-on (OpenID Connect) window, click Import metadata, and then enter the URL of okta (https://dev-87031703-admin.okta.com/.well-known/openid-configuration).
    Note: You must replace the hostname with your Okta admin registration.
  8. Click Submit.
    The Create new single sign-on (OpenID Connect) window.
  9.  Return to the Otka Admin Console, and then, on the General tab, copy the client ID and client secrets.
    Client credentials in Otka.
  10. Return to App Studio, and then complete the configuration in the Create new single sign-on (OpenID Connect) window:
    1. In the Client ID field, enter the details that you captured from Okta Admin Console in step 7.
    2. In the Client secret field, enter the details that you captured from Okta Admin Console in step 7. [COE Review: Consider removing this screenshot; the screenshot after step 12f better serves the sequence of steps by showing the completed values. To that end, it is also better to remove the callouts.] 
      Client ID and client secret.
    3. In the Map operator ID from claim field, enter {email}.
    4. Select Create operators for new users check box.
    5. In the Access role list, select DeliveryService:Authors.
    6. Click Submit.
      Mapping the ID to the access role.
  11. Confirm that the new OpenIDPOC authentication service Rule is displayed with an Enabled status:
    The OpenIDPOC authentication service rule.

3 Set Pega as the service provider

  1. In the header of App Studio, click App Studio > Dev Studio.
  2. Search for and open the OpenIDPOC authentication service Rule.
  3. In the Redirect URI field, copy the value for the OpenID Connect authentication service. 
    Redirect URI.
  4. Return to the Okta Admin Console, click Applications > Applications, and then open the MDC Web App application.
  5. In the General Settings section, click Edit. 
    General Settings.
  6.  Update the sign-in and sign-out redirect URIs with the Pega Platform redirect URI that you captured in step 3.
    Login-redirectURI

Confirm your work

  1. Return to Dev Studio, and then, in the OpenIDPOCCopy authentication service Rule, copy the login URL.
    Login URL.
  2. Open a different browser (if you are using Chrome, open Firefox).
  3. Paste the login URL into the Web browser.
  4. Click Login with OpenIDPOC, and then enter your Okta user credentials.
    Login with OpenIDPOC.

After you sign in, the system automatically creates the Operator ID instance for [email protected] and assigns the ID with the selected Access Role, as shown in the following figure:

Edit Operator ID.


Available in the following missions:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice