Question

Mobile oAuth2 in 8.2 and WebLDAP authentication service

Hi guys!,

I appreciate any help about that.

I've WebLDAP1 authentication service configured and it works very nice in web browsers, you have only to change /prweb/ for /prweb/PRWebLADP1 and insert your credentials of LDAP.

The configuration is very easy we have only to fill som jndi parameters, binding details and all runs OK!

But now I want to do the same type of authentication in mobile app (app android) with pega custom mobile client and platform 8.2.1.

In this version we have by default the OAUTH2 flow so i need to configure an IdP who do the authentication and response to pega platform who creates the token and continue the flow to let the mobile app to work.

I've seen we can use SAML, OpenID (external logins), so I was wondering what's the best approach to do this in a way that I can reuse my WebLDAP1 login page and return to the oauth2 flow like an external login.

My requirement is not to create new activities, instead of using the OOTB types of authentication services already done for LDAP.

I hope you can understand my question.

Thx for the help.

Comments

Keep up to date on this post and subscribe to comments

Pega
August 9, 2019 - 1:57pm

Using SAML and OIDC, the login page is provided by the IdP, not Pega, so the login page you currently use with WebLDAP1 is not available.

August 9, 2019 - 6:30pm
Response to SOLOM

Hi thx for reply Marty,  I understand that (external IdP provides their own login page).

So my question would be what's best approach keeping the oath2 flow and doing an authentication in IdP like Active Directory, using the same configuration, I've already created in WebLDAP1 authentication service?.

I've seen we can create a basic credentials authentication with external datastore, do you recommend this way or there's a better/easy config like in WebLDAP1?.

Thx for any suggest about.

 

Pega
August 10, 2019 - 7:51am

The external datastore option of the basic credentials auth service type is intended for this type of situation.  You would be entirely responsible for implementing validation of user credentials, but I suppose that's what you are already doing in WebLDAP1.

Using Active Directory, you could also implement SAML type authentication if that's supported in your organization.

August 12, 2019 - 5:43am
Response to SOLOM

 

Hi Marty,

thx for the answer :-) This is exactly the point i'm dealing with: why I have to be entirely responsible for implementing validation of user credentials (data pages, activities, bla bla bla) for using Active Directory (LDAP) authentication in Mobile apps if there's already an authentication service custom WebLDAP1 that is working for no mobile (browser request). It's not other approach?.

Yeah I've seen I can try to SAML with ADFS, but I have to do some answer to my customer why I'm doing this change now.

Thx a lot for your comments, you're very helpful to me.