Skip to main content
This content is now archived and is no longer updated. Progress is not calculated. Pega Cloud instances are disabled, and badges are no longer awarded. Click here to continue your progress in the latest version.

Pega Web Mashup authentication

Configuring Pega Web Mashup authentication

Pega Web Mashup enables you to embed a Pega application in another web application. The system must authenticate the user before displaying the application mashup on the external web page. Similar to an SSO configuration, a third-party authentication module manages the authentication of Pega Web Mashup users.

Pega provides a standard authentication service named Internet Application Composer (IAC) Authentication for Pega Web Mashup configurations. The standard web.xml contains a servlet named IAC that references this authentication service instance. The instance references standard IAC authentication activities by default. Unlike other custom authentication services, you do not need to create an IAC authentication service and add a reference to it in web.xml. The following image shows the servlet and authentication service.

IAC Servlet

The standard IAC authentication service is designed for quick Pega Web Mashup implementation in a design environment. However, update the authentication activities to ensure adequate security in a production environment.

The standard IACAuthentication activity extracts values from custom HTTP headers in the HTTP request to identify an authenticated operator. The activity uses the operator's identifier to verify that the user is in the system. The third-party authentication module typically provides this operator information. Step 4 of the activity is configured to have the IACAuthVerfication activity return the token to the authentication module and verify the module generated the token.

IAC Authentication Activity
Caution: Remove the IAC servlet from web.xml if you are not using Pega Mashup.

Authenticate users

When users log in to the mashup application, the IACAuthentication activity uses information in the HTTP request header to identify a corresponding Pega Platform™ operator ID record.

If an operator ID record for the user does not exist, the activity creates a record for the user. The activity customizes a template Operator ID or model operator using information in the HTTP request header to create an operator ID record for the user.

For example, consider a banking application with a Pega Web Mashup. The bank database includes login credentials for its customers, but the Pega application does not have login credentials for new application users. When a new user logs in, the system creates a guest ID, which is an operator ID based on a model user template containing relevant user attributes. This process enables new users to start working in their applications immediately. Users do not have to wait for their operator records to be manually created in Pega.

The IACAuthentication activity requires that the HTTP request provides the following information to create an Operator ID.

  • pyuseridentifier – Operator's identifier
  • pyusername – Operator's full name
  • pyorganization – Operator’s organization name
  • pyorgdivision – Operator’s division name
  • pyorgunit – Operator’s organization unit name

The organization, division, and org unit information in the header is used to identify the appropriate org unit record in Pega Platform. The model operator associated with that org unit is the template for creating an operator ID record for the new user. The identifier and full name are used to customize the operator ID for the user.

Caution: When generating operator ID records for web mashup users, set the IACAuthentication service to use externally stored credentials, rather than credentials stored in Pega Platform.

For more information, see the following Pega Community article:

Pega Web Mashup Data Security

This Topic is available in the following Module:

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice