SSO in Pega using OpenID - (Part 2: Google Account)
In this post, we are going to create a new OpenID Connect authentication service in Pega using google as the OpenID Identity provider and how we can log in Pega using the google credentials!!.
Pega supports only the authorization code OpenID flow. Below is the process flow and steps involved in OpenID connect flow.
Pega supports OpenID authentication service in versions 7.4 & above.
1. User opens the Pega application and tries to log in using google sign-in.
2. Pega (relying app) sends the authentication request to google (OpenID Identity Provider).
3. Google (Identity provider) shows a screen to the user to enter login credentials and the credentials are submitted to the Identity Provider.
4. With regards to authorization code flow, authorization code is generated and send to the relying app.
5. With the received authorization code, the relying app Pega sends a token request to the identity provider and receives the token (access token and ID token).
6. With the ID token, the relying app sends a request and retrieves the user info necessary for authentication.
Let us start with configuring the steps for OpenID connect.
A Google Developer Account - used to generate key credentials to validate and redirect URL (We will show how to create a developer account here).
Good Internet Connection to validate the keys from Pega application to Google.
I. How to configure google as an OpenID connect Identity provider?
1. Login in browser to launch google developer console using the below link.
2. Signup with an existing or new google account.
3. Create a new project from the dashboard. Enter all the basic details.
4. Switch to the Newly created project, select the OAuth Consent Screen to create OAuth ClientID.
5. This section allows google to know about the details of the application we try to login.
6. Click External and Create.
7. In the next screen provide the basic details of your application accessing the google identity provider.
8. You also see that the scopes email, profile and OpenID are selected automatically for Google APIs. Once done save your changes.
9. To create the credentials, Click on the credentials tab and click Create credentials and then select OAuth client ID.
10. Select Web Application and enter the application name and click Save. This will create a ClientID & Client Secret key.
II. How to create a new OpenID Connect authentication service?
1. Launch your Pega Personal Edition and open Designer studio. Click Designer studio >> Org & Security >> Authentication >> Create Authentication service.
2. Provide the Authentication Service Alias name. Here I name it as P4ESSO. Pega automatically generates the login URL (Endpoint URL for Login).
3. Provide the OpenID connect provider configuration.
Authentication flow – Prefilled as Authorization Code and is read-only. Authorization Code is the code obtained from the authorisation endpoint which the server uses to look up the granted permission or consent.
Authorization endpoint – This endpoint URL signs the user in. Below is the Authorization endpoint url for our application. https://accounts.google.com/o/oauth2/auth
Token endpoint – It is an HTTP endpoint that clients can use to obtain an access token given an authorization code. A token endpoint must be able to both grant an access token as well as verify an access token. https://www.googleapis.com/oauth2/v3/token
Userinfo endpoint – The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. These Claims are normally represented by a JSON object that contains a collection of name and value pairs for the Claims. https://www.googleapis.com/oauth2/v3/userinfo
Logout endpoint – This endpoint URL signs the user out. You can leave it empty for now.
Redirect URI – A redirect URI, or reply URL, is the location that the authorization server will send the user to once the app has been successfully authorized and granted an authorization code or access token. Pega automatically fills this field. https://localhost:8090/prweb/PRAuth
Note: At the end of this rule configuration, we need to update this Redirect URI in the google developer console application.
4. To process the ID token (validate) details, we need the public key of the identity provider.
The Keystore rule is used to store the public keys/certificates in Pega.
5. Create a new Keystore instance to save the google public key.
Records >> Security >> Keystore >> Create new.
6. Use the reference to URL option to get the JWK. In the Keystore location picklist, select Reference to URL.
Keystore URL – https://www.googleapis.com/oauth2/v3/certs
Keystore type – JSON web key (JWK)
7. Save the Keystore instance. If it gets saved without throwing any error, then your key is successfully saved with the Keystore instance.
Note: Pega hits the https URL – https://www.googleapis.com/oauth2/v3/certs to get the key, so make sure you have a strong internet connection!!
8. After creating a Keystore instance, go back to the authentication service rule and update the ID token processing block.
Issue – accounts.google.com
Signature truststore – OAuth (Keystore Instance name)
9. To provide the Client Information details, fill in the Client ID and Secret obtained during developer console configuration.
10. In scope field, add the "profile" and "email" scope along with the default "openid". The scope is used to get the OpenID claim data (user info data).
11. In the Operator identification details, set "email" in the Map operator Id from claim field.
The claim here refers to the user info detail and we going to use the email to identify our Pega operator ID.
12. Update the redirect URI in the google developer application.
13. To test the OpenID Connect authentication, sign out of all Pega sessions and hit the OpenID connect login URL.
You will be redirected to OAuth sign for your client ID. Sign in using your Google account. You will be successfully logged into Pega.
Your google account will also be successfully added in the operator ID instances list.
We have successfully configured the OpenID Connect authentication mechanism in Pega!
We'll also see OpenID Connect authentication service in Pega using Outlook as the OpenID Identity provider in our next post.