
Advance authentication service
Single sign-on (SSO) enables you to access multiple applications or services with a single set of login credentials. After logging in to one platform, you can access other connected systems seamlessly without re-entering your user name and password. Given the increasing need for intercommunication between web applications, web-based SSO is essential.
Web SSO centralizes authentication to access multiple web applications with one login. Web-SSO uses a secure token or cookie to authenticate you across other connected services without additional logins when you log into a web application. This process involves an identity provider (IdP) that manages credentials and service providers (SPs) that rely on the IdP for authentication. Web SSO enhances the user experience by minimizing multiple logins and improves security through centralized authentication. Common protocols include SAML, OAuth, and OpenID Connect (ODIC).
OpenID Connect
OIDC is an authentication protocol built on top of the OAuth 2.0 framework. It enables the services to verify the identity of users based on the authentication performed by an authorization server and obtain basic profile information about the user.
OIDC is an open standard and decentralized authentication protocol that enables you to be authenticated by certain cooperating sites (known as relying parties) using a third-party service (known as an OpenID provider). You can log into multiple unrelated websites without creating separate usernames and passwords for each one.
Pega Platform™ supports OIDC authentication service configuration. You can receive the required details for configuration as a metadata file from any provider. For example, Google, Microsoft, Facebook, GitHub. The OIDC providers provide authentication, authorization, and access tokens. By configuring OIDC authentication, you can use your Gmail, Facebook, or any other provider credentials to log into the Pega application.
OIDC uses the following workflow:
- You initiate a login request to the application (relying party).
- The relying party (RP) redirects you to the OpenID provider for authentication.
- The OpenID provider (OP) authenticates you and obtains consent.
- The OP redirects you back to the RP with an authorization code.
- The RP exchanges the authorization code for an access token and an ID token from the OP.
- The RP uses the access token to retrieve user information from the UserInfo Endpoint of the OP.
The following diagram shows the OpenID grant flow in action:
SAML
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically between an IdP and SP. SAML enables SSO so that users can authenticate once and then gain access to multiple systems without the need to log in repeatedly.
SAML adoption is common in scenarios where secure, federated identity management is required, such as corporate intranets and cloud-based services. Pega Platform supports SAML authentication service. The simplest solution is to register Pega as an SP with any of the leading IdPs, such as Google Workspace, Microsoft Entra ID, and Okta.
The following diagram shows the interaction flow diagram of SAML authentication:
Differences between OpenID and SAML
OIDC and SAML both be used for web-based SSO authentication. However, there are differences in how they operate and provide authentication services, as described in the following table:
|
OIDC |
SAML |
---|---|---|
Purpose |
User authentication and identity verification. |
Authentication and authorization, often in enterprise environments for SSO.
|
Technology stack |
Based on simpler technologies such as HTTP and JSON. |
Based on more complex technologies such as XML and SOAP. |
Authentication mechanism |
OpenID provider and access to multiple services. |
Identity provider and seamless access to multiple applications. |
Security |
Focuses on proving the identity of the user. |
Provides both authentication and authorization, with a strong focus on secure enterprise environments. |
Use case |
Consumer-facing applications and websites. |
Enterprise environments for SSO across multiple internal and external applications. |
Check your knowledge with the following interaction:
This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?