Skip to main content
Verify the version tags to ensure you are consuming the intended content or, complete the latest version.



Authentication in Pega Platform™ ensures that only users and systems whose identity has been verified can access your applications. 

Authentication consists of two steps: identification (ID) and verification (V). 

  • Identification means to tell a system who you are, typically by entering a user name.
  • Verification means to provide proof that you are who you say you are, typically through some secret passphrase that is shared between you and the system that you want to access.

Authentication in Pega Platform includes:

  • User logins
  • Platform requests to external services
  • External service requests to the platform

All authentication services use the PRAuth servlet.

However, for backward compatibility with earlier versions of Pega Platform, it is possible to authenticate by using PRServlet instead of PRAuth (in other words, the login URL includes /prweb/PRServlet). For more information about authentication types, see Application URL patterns for various authentication service types

User logins

Authentication services verify the user credentials.
The following table lists the protocols for user logins that Pega Platform supports.

Authentication type Protocol
SAML 2.0 An external identity provider that supports the SAML 2.0 protocol, such as Microsoft Active Directory
OpenID Connect An external identity provider that supports the OpenID Connect (OIDC) protocol
Basic credentials  A user ID and password that are stored in the Pega Platform database or another internal or external data source. Note: Do not recommend Basic Credentials authentication type for a production environment.
Token credentials A token that is validated by an external identity provider or by the OAuth 2.0 authorization layer in Pega Platform (often used in offline mobile applications)
Anonymous No verification until partway through a session. For example, an unauthenticated user can add items to a shopping cart and enter credentials when they check out.
Custom You can configure a custom authentication service to use information that is stored within the identity provider to determine the user roles and privileges in Pega Platform. You can use authentication services (including SAML 2.0, OpenID Connect, or token credentials) to implement single sign-on (SSO) solutions. Make your applications more secure by using simple selections in the authentication service rule form to implement policies such as multi-factor authentication.
Kerberos Kerberos is a network authentication protocol that secures client-server node communication by using secret-key cryptography. You can use a user's Kerberos credentials to connect to external systems and authenticate with them.

Pega Platform requests to external services through Connector rules

Pega Platform application must authenticate to external system or application to get information, by invoking external REST service call. This type of authentication uses an authentication profile and OAuth provider data instances. The supported forms of authentication include:

  • Basic credentials
  • NT LAN Manager credentials (NTLM) 
  • OAuth 1.0 and OAuth 2.0

External service requests to the Pega platform through Service rules

An external system or application can invoke a REST service that is defined in Pega Platform or within a Pega Platform application to get case information. This type of authentication uses a service type and service package instances. Supported forms of authentication include:

  • Basic credentials
  • OAuth 2.0
  • Custom authentication

Authentication profile

When Pega communicates with other applications, data and messages must move securely. Authentication profiles are used to manage the security of communication with other applications.

Authentication profiles in Pega are referred to on connector and service rules to secure the communication. However, few authentication profiles are created for a specific purpose (for example, a Microsoft Azure authentication profile).

You can specify authentication profile data instances on the Service tab of Connect CMIS, Connect dotNet, Connect HTTP, Connect JMS, Connect REST, Connect SAP, and Connect SOAP rules and on the Environment tab of FTP Server rules.

Types of authentication profile:

  • To pass basic HTTP authentication credentials, select Basic.
  • To pass NT LAN Manager credentials, select NTLM.
  • To use OAuth 1.0 authentication, select OAuth 1.0a.
  • To use OAuth 2.0 authentication, including support for the on-behalf-of (OBO) flow and JWT bearer grant type for Microsoft Azure and other providers, select OAuth 2.0.
  • To use Amazon Web Services (AWS) security credentials. For example, for S3 repository storage, select Amazon Web Services (AWS).
  • To use Microsoft Azure storage account access, select Microsoft Azure.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice