Skip to main content

Configuring OpenID Connect authentication

4 Tasks

45 mins

Visible to: All users
Advanced Pega Platform 8.6 English


Front Stage is considering using OpenID Connect to Authenticate Operators.

Design and implement an OpenID Connect as a proof of concept.

Pega now supports SSO login with OpenID Connect. You can use Gmail, Facebook, or any other Open ID connect Identity Providers to log in to the Pega Platform™ application.

To use Gmail credentials to log in to the Pega Platform application, you make configurations on the Google Account and in the Pega Platform application.

The following table provides the credentials you need to complete the challenge.

Role User name Password
Administrator Admin@Booking rules

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Review the solution detail

  1. Make configurations on Google Account.
    1. Create a project on Google API & Services.
    2. Fill OAuth consent screen.
    3. Create Credentials.
  2. Make configurations in the Pega Platform application.
    1. Configure new SSO login from App Studio.
    2. Verify Authentication Service.


2 Create the project in Google API & Services

  1. Click the link to access the Google API Console.
  2. In the Credentials section, click Create to create the project as shown in the following image.
    Create Google API
  3. In the Project name field, enter PegaOpenIDConnectProject.
  4. Click Create to create the new project. 
    Create Google API
  5. Click Configure Consent Screen to fill in the details.
    Config Google API
  6. In the User Type section, select External, and then click Create.
    OAuth Consent screen
  7. Here we have to provide the Authorized Domain.  Generating a Client ID and Secret Key are mandatory:
    • Application Name: Enter a name to identify your configuration.
    • Support Email: Enter your Gmail address. This is displayed automatically.
    • Scope of Google API: Define the scope (for example, Email, Profile, OpenID).
    • Authentication Domain: Add your hostname where the Pega Platform application is running. If you are using the Pega Cloud, the domain name is easy to find and use. If you are using the Pega VM or Personal Edition, then a change is required in the Tomcat server.xml file to use some domain name for localhost. Instructions are provided at the end of these exercise instructions. For example, is the domain in the Tomcat server.xml file/
      Create Consent screen
  8. In the header, click Create Credentials > OAuth Client ID to configure the OAuth client ID.
    OAuth  Client ID
  9. In the Application type section, select Web application.

  10. In the Authorized redirect URIs field, enter a pathname. For example,

    Create OAuth Client ID
  11. Click Create to view the pop-up window with the Client ID and Client secret key. 

  12. the Client ID and Client secret key for use in configuring rules in the Pega Platform application.

    OAuth created
Note: The Client ID and Client secret key are also accessible on the Create Credentials page.
Create Credentials


3 Configure new Single sign-on (SSO) login in App Studio

Configure new SSO login from App Studio

  1. Log in into App Studio.
  2. In the navigation pane on the left, click Users.
  3. In the Users explorer, click Single sign-on (SSO).
  4. In the upper right, click New > Google.
  5. Create the new single sign-on login.
    1. Name: Enter a name for this configuration; this name is appended to the URL.
    2. Import metadata: Click to select URL and provide the URL (for example,
    3. Client ID and Client secret: Use the values from the Create Credentials page of Google API & Services.
    4. Map operator ID from claim: Enter your name.
    5. Create operators for new users: Select this check box and provide the access group.
    6. Configure your IDP: Copy this URL to paste into the Import metadata field.
    7. Click Submit.
OpenID content

The SSO with OpenID connect is created and can be opened in Dev Studio for further configuration or verification.

OpenID Dev studio
Tip: Open the Authentication Service rule in Dev Studio if any further configuration changes are required. You can map required properties on the Mapping tab.

Changes in the Server.xml file of Tomcat

If you are performing the challenge in a personal edition or in a VM machine, perform the following changes to the server.xml file.

  1. Pega Personal Edition (on Windows) will be installed in C:\PRPCPersonalEdition.
  2. Open server.xml file from C:\PRPCPersonalEdition\tomcat\conf.
  3. If using VM – Linux Lite, the server.xml file is located at /opt/tomcat/conf.
  4. Search for the connector port and set it 80, with the following changes:

    <Connector port="80" protocol="HTTP/1.1"           
      redirectPort="8443" />

  5. Search for the default host and enter an address with .com to act as your domain <Engine name="Catalina" defaultHost="">
  6. In the same server.xml file, search for host name and give the same name.

    <Host name="" 

  7. After making the changes, save the server.xml in Tomcat.
  8. In the hosts file, enter the following line:
  • If Windows: C:\Windows\System32\drivers\etc\hosts
  • If VM- Linux lite: /etc/hosts (name as given in the server.xml)

After making changes to the files, you can now access the personal edition with a domain name (no need for the port number).

  • http://localhost:8080/prweb -- earlier
  • -- after changes to server.xml and hosts file

4 Confirm your work

  1. Copy the Login URL from the Authentication Service.
  2. Open a different browser (if you are using Chrome, open Firefox).
  3. Paste the Login URL into the Web browser.
  4. In the Login with Gmail section, enter your Gmail credentials.

Available in the following mission:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice