Accessing a case with SSO

User Experience
, , , , , , ,
1

Hi,

One of our clients is looking for below requirement.

System A (External System) will have a button / link to open the case in Pega. When the user clicks the button, user should be redirected to Pega :

Assumption : User accessing System A will also have an operator created in Pega.

The idea is that the user will log into the client’s website, and then click on a link that will redirect them to an existing case in Pega. Right now the URL is working, but it prompts the user the login screen, and we want the user to be automatically authenticated via SSO. We have already created a Saml2.0 Authentication Service that works, but only if we copy the Authentication Service’s URL.

Could you please share your thoughts on how to achieve this.

Thanks

2

Hi @AlvaroA,

Hope you are doing well.

To achieve seamless Single Sign-On (SSO) authentication when a user clicks the button or link in System A and is redirected to Pega, without being prompted for login, follow these general steps. This approach assumes you have already set up the SAML 2.0 Authentication Service in Pega but need to ensure the user is automatically authenticated through SSO when they navigate to Pega.

Key Components:

  1. SAML 2.0 Authentication Integration: You mentioned that the SAML 2.0 Authentication Service is already configured, which is great.
  2. SSO Integration: You will use the existing SSO mechanism to ensure seamless login when the user is redirected to Pega.

High-Level Steps:

  1. SSO Setup in System A:

    • Ensure that System A (external system) is integrated with the Identity Provider (IdP) used for SSO.
    • System A should trigger the SAML authentication to the IdP when the user is clicking on the link.

    You need to ensure that when the user accesses System A, the SSO token or session is established, and it is passed along during the redirect to Pega.

  2. Generate the Correct URL with Authentication Token:

    • The URL that the user clicks from System A should contain a mechanism that passes the necessary authentication token to Pega (e.g., a SAML token, a session cookie, or another form of authentication that the SSO setup recognizes).
    • This can typically be done by appending the SSO token (or a redirect URL with SAML assertion if the token is generated dynamically) as a query parameter when redirecting to Pega. If Pega is integrated with the IdP, the SSO token should ideally be forwarded automatically when the user is redirected.

  3. Pega SSO Configuration:

    • Automatic Authentication via SAML 2.0: Ensure Pega is configured to accept the incoming SAML response automatically for user authentication. This is part of the configuration in the Authentication Service.
      • In Pega, the Authentication Service should be configured to read the SAML assertion sent with the request.
      • Ensure the SSO Initiation URL is correctly set up to receive the SAML response automatically (i.e., the URL that triggers authentication in Pega).

  4. Modify the Link in System A:

    • System A should contain the link to Pega, which when clicked, triggers the authentication process via SSO.

    • The URL could look something like this:

      https://pega-url.com/case?id=<caseID>&SSO_Token=<SSOToken>

      Here, the SSO_Token should be a valid token that Pega can use to authenticate the user without prompting for a password.

  5. Ensure Pega Session Initialization:

    • On receiving the redirect from System A, Pega should detect the SSO token (from the SAML assertion) and automatically authenticate the user based on that token.
    • The user should not be asked to log in manually because Pega will already recognize the SSO assertion and associate the user’s session accordingly.

  6. Testing and Troubleshooting:

    • Test the entire flow: User clicks the link in System A → SSO token is passed to Pega → Pega recognizes the token → User is redirected to the case page without a login prompt.
    • Use the browser’s developer tools to verify the SAML assertion, headers, and session cookies being passed between the systems.

Security Considerations:

  • Ensure that the SSO token is transmitted securely (e.g., using HTTPS).
  • Ensure the tokens are validated properly to prevent unauthorized access.
  • If using query parameters to pass the token, be sure it’s encrypted or signed to prevent interception or tampering.

Summary:

  1. Ensure System A has an SSO token (SAML assertion).
  2. Configure System A to pass this token when redirecting to Pega.
  3. Ensure Pega’s Authentication Service is set up to accept and validate the SSO token.
  4. Test the entire flow to ensure that the user is redirected seamlessly to the Pega case without having to manually log in.

By following these steps, you should be able to achieve a seamless login experience for users accessing Pega through the link in System A.

Hope it helps.

Thank You

3

Hi @Megha007.

Thanks for your response. I can confirm that I have been able to log in directly from system A to Pega using the SSO. However, when I access Pega, it doesn’t open the case I’ve passed as a query string, it opens the homepage.

The URL I’m using is the following:

https://<pega-url>/prweb/PRAuth/<AuthenticationService>?Target=&2Fprweb%2Fapp%2F<PegaApp>%2FopenCase%2F<caseID>

I also tried with 
https://<pega-url>/prweb/PRAuth/<AuthenticationService>?Target=&2Fprweb%2Fapp%2F<PegaApp>%2Fcase%2F<caseID>

but with the same result.

Could you please indicate me how to open the case directly?

Thanks,

Álvaro

4

Hi @AlvaroA,

Can you try with this:

https:///prweb/PRAuth/?Target=%2Fprweb%2Fapp%2F%2Fcase%2F

Thanks

5

@Megha007 same thing happens, it opens the home page, not the specific case passed in .