Advance authentication service
The Advanced Authentication Service (AAS) in Pega Platform™ provides a secure, flexible framework for authenticating users across enterprise applications. The service supports modern identity protocols, multi-factor authentication (MFA), and cloud-native integration patterns. This framework helps you maintain compliance and scale authentication across distributed environments.
AAS acts as an orchestration layer that coordinates authentication mechanisms, security protocols, and identity management features. This architecture gives system architects the flexibility to design robust, enterprise-grade authentication solutions that meet diverse security requirements and deliver a consistent user experience.
Architecture overview
The following diagram shows how authentication components interact in the AAS in Pega Platform:
Protocol support
AAS supports industry-standard protocols that integrate with external identity providers and enable secure Single Sign-On (SSO):
-
OpenID Connect (OIDC)
Validates JSON Web Tokens (JWT) from providers such as Google and Microsoft. Maps identities to Pega operator records to eliminate separate credentials and use identity attributes for authorization. -
SAML 2.0
Processes SAML assertions, validates signatures, and extracts user attributes for operator provisioning. Supports both SP-initiated and IdP-initiated flows.
The service abstracts protocol details to provide a consistent interface. You can switch or combine authentication methods without changing your application.
Identity federation and multi-factor authentication
To strengthen authentication and reduce security risks, AAS combines identity federation with MFA. These features work together to simplify credential management and add extra layers of protection for sensitive operations.
-
Identity federation
Enables dynamic access to cloud credentials (AWS, Azure, GCP) without storing them in Pega Platform. This feature reduces credential sprawl and security risks. -
Multi-factor authentication
Adds a second verification method, such as one-time passcodes (OTP) sent by email or SMS. You can enforce MFA for high-risk operations or unfamiliar devices. Combining MFA with identity federation strengthens protection for sensitive data.
Transport Layer Security
All authentication communications use TLS 1.3 (preferred) or TLS 1.2. TLS 1.3 improves security and performance. TLS 1.2 ensures backward compatibility during the migration process. The service logs TLS versions to help you monitor adoption.
OpenID Connect
OIDC is an authentication protocol built on OAuth 2.0. It verifies user identity based on authentication performed by an authorization server and provides basic profile information about users.
OIDC is an open standard and decentralized authentication protocol that enables user authentication by certain cooperating sites (known as relying parties) using a third-party service (known as an OpenID provider). Users can log into multiple unrelated websites without creating separate user names and passwords for each one.
Pega Platform supports OIDC configuration. Providers such as Google, Microsoft, Facebook, and GitHub supply metadata files for setup. By configuring OIDC, you can allow users to log in with existing credentials from these providers.
The following diagram shows the OpenID grant flow in action:
SAML
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML enables SSO so that users authenticate once and then access multiple systems without repeated logins.
SAML adoption is common in scenarios where secure, federated identity management is required, such as corporate intranets and cloud-based services. Pega Platform supports SAML authentication service. The simplest solution is to register Pega Platform as an SP with any of the leading IdPs, such as Google Workspace, Microsoft Entra ID, and Okta.
The following diagram shows the interaction flow diagram of SAML authentication:
Differences between OpenID and SAML
Both OIDC and SAML support web-based SSO, but they differ in purpose, technology, and use cases, as described in the following table:
|
|
OIDC |
SAML |
|---|---|---|
|
Purpose |
User authentication and identity verification. |
Authentication and authorization, often in enterprise environments for SSO. |
|
Technology stack |
Based on simpler technologies such as HTTP and JSON. |
Based on more complex technologies such as XML and SOAP. |
|
Authentication mechanism |
OpenID provider and access to multiple services. |
Identity provider and seamless access to multiple applications. |
|
Security |
Focuses on proving the identity of the user. |
Provides both authentication and authorization, with a strong focus on secure enterprise environments. |
|
Use case |
Consumer-facing applications and websites. |
Enterprise environments for SSO across multiple internal and external applications. |
Check your knowledge with the following interaction:
このトピックは、下記のモジュールにも含まれています。
トレーニングを実施中に問題が発生した場合は、Pega Academy Support FAQsをご確認ください。