Configuring OpenID Connect authentication

4 Tasks
45 mins
Release 1
Pega Platform 8.3.1
Pega Platform
8.5
English
Scenario
Front Stage is considering using OpenID Connect to Authenticate Operators.

Design and implement an OpenID Connect as a proof of concept.

Pega now supports SSO login with OpenID Connect. You can use Gmail, Facebook, or any other Open ID connect Identity
Providers to log in to the Pega Platform™ application.

To use Gmail credentials to log in to the Pega Platform application, you make configurations on the Google Account and in
the Pega Platform application.

The following table provides the credentials you need to complete the challenge.

Role User name Password

Administrator Admin@Booking rules

Detailed Tasks

Review the solution detail

1. Make configurations on Google Account.

a. Create a project on Google API & Services.
b. Fill OAuth consent screen.
c. Create Credentials.
2. Make configurations in the Pega Platform application.
a. Configure new SSO login from App Studio.
b. Verify Authentication Service.

Create the project in Google API & Services

1. Click the link to access the Google API Console.

2. In the Credentials section, click Create to create the project as shown in the following image.
3. In the Project name field, enter PegaOpenIDConnectProject.
4. Click Create to create the new project.

5. Click Configure Consent Screen to fill in the details.

6. In the User Type section, select External, and then click Create.

7. Here we have to provide the Authorized Domain. Generating a Client ID and Secret Key are mandatory:
Application Name: Enter a name to identify your configuration.
Support Email: Enter your Gmail address. This is displayed automatically.
Scope of Google API: Define the scope (for example, Email, Profile, OpenID).
Authentication Domain: Add your hostname where the Pega Platform application is running. If you are using the
Pega Cloud, the domain name is easy to find and use. If you are using the Pega VM or Personal Edition, then a
change is required in the Tomcat server.xml file to use some domain name for localhost. Instructions are provided at
the end of these exercise instructions. For example, www.pegaopenid.com is the domain in the Tomcat server.xml
file/
 8. In the header, click Create Credentials > OAuth Client ID to configure the OAuth client ID.

9. In the Application type section, select Web application.

10. In the Authorized redirect URIs field, enter a pathname. For example, https://www.pegaopenid.com/prweb/PRAuth.
11. Click Create to view the pop-up window with the Client ID and Client secret key.
12. the Client ID and Client secret key for use in configuring rules in the Pega Platform application.

Note: The Client ID and Client secret key are also accessible on the Create Credentials page.
Configure new Single sign-on (SSO) login in App Studio
Configure new SSO login from App Studio

1. Log in into App Studio.

2. In the navigation pane on the left, click Users.
3. In the Users explorer, click Single sign-on (SSO).
4. In the upper right, click New > Google.
5. Create the new single sign-on login.
a. Name: Enter a name for this configuration; this name is appended to the URL.
b. Import metadata: Click to select URL and provide the URL (for example, https://accounts.google.com/.well-
known/openid-configuration)
c. Client ID and Client secret: Use the values from the Create Credentials page of Google API & Services.
d. Map operator ID from claim: Enter your name.
e. Create operators for new users: Select this check box and provide the access group.
f. Configure your IDP: Copy this URL to paste into theImport metadata field.
g. Click Submit.
The SSO with OpenID connect is created and can be opened in Dev Studio for further configuration or verification.

Tip: Open the Authentication Service rule in Dev Studio if any further configuration changes are required. You can
map required properties on the Mapping tab.

Changes in the Server.xml file of Tomcat

If you are performing the challenge in a personal edition or in a VM machine, perform the following changes to the server.xml
file.

1. Pega Personal Edition (on Windows) will be installed inC:\PRPCPersonalEdition.

2. Open server.xml file from C:\PRPCPersonalEdition\tomcat\conf.
3. If using VM – Linux Lite, the server.xml file is located at/opt/tomcat/conf.
4. Search for the connector port and set it 80, with the following changes:
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

5. Search for the default host and enter an address with .com to act as your domain<Engine name="Catalina"
defaultHost="www.pegaopenid.com">

6. In the same server.xml file, search for host name and give the same name.
<Host name="www.pegaopenid.com"
appBase="webapps"
unpackWARs="true"
autoDeploy="true">

7. After making the changes, save the server.xml in Tomcat.

8. In the hosts file, enter the following line:
If Windows: C:\Windows\System32\drivers\etc\hosts
If VM- Linux lite: /etc/ 127.0.0.1 www. pegaopenid.com (name as given in the server.xml)

After making changes to the files, you can now access the personal edition with a domain name (no need for the port
number).

http://localhost:8080/prweb -- earlier
http://www.pegaopenid.com/prweb -- after changes to server.xml and hosts file
Confirm your work

1. Copy the Login URL from the Authentication Service.

2. Open a different browser (if you are using Chrome, open Firefox).
3. Paste the Login URL into the Web browser.
4. In the Login with Gmail section, enter your Gmail credentials.

Available in the following missions:

 Available in the following missions:

Lead System Architect

Security Design

Configuring OpenID Connect authentication -- Tue, 07/06/2021 - 13:02

To get the full experience of this content, please visit Configuring OpenID Connect authentication