Authentication for Pega Robot Manager users
In Pega Platform™, authentication validates users through a password, token, or certificate before granting access to the appropriate set of applications. Pega Robot Manager uses these authentication mechanisms to validate client requests from Robot Studio and Pega Robot Runtime. Robot Manager supports basic authentication, single sign-on (SSO), and certificate-based authentication.
With basic authentication, Pega Platform acts as the identity provider (IdP). With SSO, an external IdP establishes the user session at authentication. Because SSO has multiple implementations, Robot Manager supports common SSO frameworks such as OAuth and Kerberos. OAuth-based authentication supports tokens, passwords, or certificates, providing flexibility to align with an organization's security requirements.
Note: Beginning with Pega Infinity™ '24.2, basic authentication is deprecated. All Robotic Automation features are being updated to operate without basic authentication. Transition from basic authentication to SSO to reduce security risks and to improve control and compliance.
Configure authentication requirements before creating users to access Robot Manager. The default authentication method is determined by a user's Access Role and dynamic system settings. Use separate authentication settings for the RuntimeUser Access Group and for users with additional Access Roles in Robot Manager when selecting between basic authentication and SSO.
Note: Configure authentication settings when users are created through operator imports. If SSO provisions operators automatically at login, creating operators before their first login is not required.
For more information about defining the authentication method, see Specifying the default authentication method for new Pega Robot Manager users.
Single sign-on
SSO allows users to securely authenticate multiple applications (and websites) by logging in once with an IdP. You can access all your applications and switch between them seamlessly, without extra steps. With SSO, the system validates a token or certificate before verifying credentials against a user directory within the application server. SSO reduces errors associated with multiple login routines.
Enable SSO through OAuth 2.0 with SAML bearer, OAuth 2.0 with OpenID Connect (OIDC), or Kerberos to authenticate the domain user with Pega Robot Manager. For more information on the different SSO processes. For more information on the different SSO processes, see the following topics:
Basic authentication
Basic authentication validates usernames and passwords against operator records stored in the Pega database. The authentication process differs for attended and unattended robots.
The Case worker manually starts the Pega Robot Runtime and enters basic authentication credentials so the robot operator can download the automation package and begin work. When the password expires or changes, the Case worker updates the password in Pega Platform, as shown in the following figure:
To connect robot operators to Robot Manager securely and support operational flexibility, the Robotic Processing Automation (RPA) service uses three operator types for each robot operator. These RPA service credentials must follow the application security policies. Update the credentials when they expire and change them when necessary.
Note: During registration, the system creates the RPA Service and Runtime operators and generates their credentials.
For more information about the process of setting up basic authentication, see Authenticating Pega Robot Manager users through the basic method.
Certificate-based authentication
Signed tokens and certificate-based verification for operators strengthen RPA integration security. This approach removes the need for operators to store credentials on run-time machines, reduces the risk of unauthorized access to Robot Manager, and strengthens system integrity. Robot Manager offers certificate-based authentication for Unattended and Attended automations on Pega Cloud and client-managed deployments.
With certificate-based authentication enabled, the RPA service, Synchronization Engine Updater service, and Unattended run time can authenticate with Robot Manager. For more information, see the following topics:
- Understanding Certificate-based authentication
- Configuring Certificate-based authentication for Unattended automations
- Regenerating keypairs for Certificate-based authentication
Check your knowledge with the following interaction:
This Topic is available in the following Module:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?