Skip to main content

Authentication options

Authentication options

Authentication is a process of granting users access to system objects based on user identity. Authentication in Pega Platform™ ensures that users and systems are verified to access applications.

Before creating users to access Pega Robot Manager™, it is a best practice to configure authentication requirements. The default role RuntimeUser does not have direct access to the Pega Robot Manager portal. The RuntimeUser role has access only to receive package assignments, updates, and configuration file updates from Pega Robot Manager. To grant run-time users access, Pega Robot Manager allows for varying authentications and configurations. Pega Robot Manager supports basic authentication and single sign-on (SSO) to authenticate client requests from Pega Robot Studio and Pega Robot Runtime.

By default, authentication of users in Pega Robot Manager is performed by using the methods in the following table:

Authentication type Users
Single sign-on Robot Runtime users for attended robotic process automation (RPA)
Basic authentication All other users for access to Pega Robot Manager portal

Single sign-on (SSO) allows you to securely authenticate with multiple applications (and websites) by logging in once or with just one set of credentials. You can enable single sign-on through OAuth SAML 2.0 and OAuth with Kerberos to securely authenticate the domain user with Pega Robot Manager.

Basic authentication is a simple authentication scheme that validates usernames and passwords against operator records stored in the Pega database.

When you create a user in Pega Robot Manager, the authentication method for the user is determined by the role of the user and dynamic system setting associated with the role. The Dynamic System Setting (DSS) value DefaultAuthenticationTypeForRuntimeOnlyUser determines the authentication method.


Depending on the DSS setting value of the run-time user and the implementation type, such as attended or unattended RPA, you must update other configuration files as required. For more information about specific configuration processes, see the Pega Community article Pega Robot Manager authentication mechanisms.

When adding a new run-time user in Pega Robot Manager by using SSO user authentication, use the UPN field that associates the user network ID found in the active directory for both OAuth SAML 2.0 and KerberosWhen using Secure Token Service, you can authenticate using either the user name or username@domain. Both are sent across in the token header as parameters, where username@domain is the UPN parameter and username is the UserName parameter. The organization decides which parameter to use to map identity to operator ID.

If your organization uses OAuth SAML 2.0 authentication, you must configure the Secure Token Service along with other configurations according to the implementation type. The Secure Token Service (STS) in Pega Robotic Automation is an Internet Information Services (IIS) web service that serves as a minimal version of Active Directory Federation Services (ADFS). The Secure Token Service authenticates Pega Robot Runtime and Pega Robot Studio products with Pega Robot Manager by using the domain user credentials of the user’s Windows session.


This Topic is available in the following Module:

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice