Skip to main content

Configuring SAML authentication using App Studio

3 Tasks

1 hr

Pega Platform '24.2
Visible to: All users
Advanced
Pega Platform '24.2
English

Scenario

MDC is considering using Single sign-on (SSO) with SAML to authenticate operators. As a Lead System Architect, your task is to design and implement a SAML authentication as a proof of concept. 

There are many identity providers (IdPs) that are available in the marketplace; some are free services while others charge each user. Before MDC decides on an identity provider, they ask you to develop a proof of concept with Okta as the IdP. Okta is a leading IdP that offers secure and scalable identity management solutions. When integrated with Pega Platform™ for business process management and customer engagement, Okta provides seamless authentication and authorization services. This integration enhances security by enabling SSO for Pega applications.

The following table provides the credentials you need to complete the challenge:

Role User name Password
Admin admin@deliveryservice rules

Before you begin:

  1. Register on the Okta developer site.
  2. On the Okta developer homepage, click Sign up, and then click Sign up free for Developer Edition.
    Note: It is free to test, explore, and manage integrations.
  3. Create an Okta Developer Edition Service account.
  4. Complete the sign-up process.

You must initiate your own Pega instance to complete this Challenge.

Initialization may take up to 5 minutes so please be patient.

Detailed Tasks

1 Configure Okta as the identity provider

  1. Log in to Okta Admin Console.
  2. In the navigation pane, click Applications > Applications, and then click Create App Integration.
Create new application in Okta.
  1. On the Create a new app integration landing page, in the Sign-in method section, select SAML 2.0.
SAML sign-in method.
  1. Click Next.
  2. Complete the General Settings section:
    1. In the App name field, enter Pega.
    2. Leave the App logo(optional) field empty.
    3. In the App visibility section, leave the Do not display application icon to users radio button clear.
New application configuration.
  1. Click Next.
  2. In the Assignments section, configure the access control options:
    1. In the Controlled access section, select Allow everyone in your organization to access.
    2. In the Enable immediate access (Recommended) section, clear the Enable immediate access with Federation Broker Mode checkbox.
    3. Click Save.
Assignments.
  1. Complete the Configure SAML settings section:
    1. In the Single sign-on URL field, enter https://<your-pega-server>/prweb/PRRestService/WebSSO/SAML/v2/AssertionConsumerServiceReplace “your-pega-server" with your application specific host name and port number.
    2. In the Audience URI (SP Entity ID) field, enter RandomId.
    3. Leave the Default Relay State field empty.
    4. In the Name ID format field, select Unspecified.
    5. In the Application username field, select Okta username.
    6. In the Update application username on list, select Create and update.
Configure SAML settings.
  1. Click Save.
  2. Complete the Attribute Statements (optional) section:
    1. In the Name filed, enter user.firstName.
    2. In the Email field, enter user.email.
Attribute Statements (optional).
  1. Complete the Feedback section:
    1. In the App type field, select the This is an internal app that we have created checkbox.
Feedback configuration
  1. Click Finish.
  2. Review the SAML setup configuration, and then make a note of the Metadata URL.
Metadata URL.
  1. In the navigation pane, click Directory > People, and then click Add person.
Add person.
  1. In the Add person dialog box, configure the user details:
    1.  In the User type list, select User
    2. In the First name field, enter CLSA. 
    3. In the Last name filed, enter POC. 
    4. In the Username field, enter [email protected]. 
    5. In the Primary email filed, enter [email protected].
    6. Leave the Groups (optional) field empty.
    7. In the Activation field, select Activate now.
Add person dialog box.
Note: You can either set a password for the user or enable Okta to generate a temporary password. If you set your own password, enter it in the provided fields. 
  1. In the navigation pane, click Applications > Applications, and then open the Pega application that you created.  
  2. On the Assignments tab, click Assign to select the users or groups who should have access to the application. 
Assign Pega to people.

2 Create the new SSO in App Studio

  1. In the Pega Platform instance for the challenge, enter the following credentials:
    1. In the User name field, enter admin@deliveryservice.
    2. In the Password field, enter rules.
  2. In the header of Dev Studio, click Dev Studio > App Studio.
  3. In the navigation pane of App Studio, click Users.
  4. Click Authentication.
  5. Click Add authentication service, and then, in the list, select Create new > SAML2.
  6. In the Name filed, enter SAMLPoc.
  7. In the Create new single sign-on (SAML 2.0) window, click Import metadata and then enter the metadata URL of Okta (https://dev-33414028-admin.okta.com/app/exkjemeaj8Rdaau3q5d7/sso/saml/metadata).
Note: You must replace the host name with your Okta admin registration.
  1. Click Submit
Create new single-sign on.
  1. In the Map operator ID from claim section, select NameID.
  2. Select the Create operators for new users checkbox.
  3. In the Access role list, select DeliveryService:Authors.
  4. Click Submit.
Complete SAML2 authentication service operator mapping.
  1. Confirm that the new SAMLPoc authentication service Rule is displayed with an Enabled status.
SAML authentication service Rule.

3 Set Pega as the service provider

  1. In the header of App Studio, click App Studio > Dev Studio.
  2. Search for and open the SAMLPoc authentication service Rule.
  3. In the Entity Identification, copy the value for the SAML authentication service. 
Entity Identification in SAML authentication service.
  1. Return to the Okta Admin Console, click Applications > Applications, and then open the Pega application.
  2. In the General Settings section, click Edit.
Okta general configuration settings.
  1.  Update the Audience URI (SP Entity ID) with the Pega Platform Entity Identification that you captured in step 3. 
Audience URI.

Confirm your work

  1. Return to Dev studio, and then in the SAMLPoc authentication service Rule, copy the login URL. 
SAMLPoc authentication service rule Login URL.
  1. Open a different web browser.
    For example, if you are using Chrome, open Firefox.
  2. Paste the Login URL into the new web browser, wait for it to redirect to Okta, and then enter your Okta user credentials.
Okta login screen

After you sign in, the system automatically creates the Operator ID instance for [email protected] and assigns the ID with the selected access role, as shown in the following figure:

Edit Operator ID.


Available in the following missions:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice