Pass-through Authentication node
Authenticates an identity through a connector to a third-party service.
This lets you migrate user profiles without forcing users to reset their passwords, or retain a third-party service indefinitely as the canonical store for authentication credentials.
Before you use the node:
-
Configure the connector to the third-party service.
For details, refer to the OpenICF documentation.
-
If you plan to collect credentials in the identity repository for users, synchronize accounts from the third-party service.
For details, refer to Synchronization in the IDM documentation.
Use this node after collecting the authentication credentials. For example, use the Username Collector node and the Password Collector node (standalone AM) or the Platform Username node and the Platform Password node (ForgeRock Identity Platform deployment) to collect the username and password.
Pass the credentials to this node to authenticate the identity against the service.
Compatibility
Product | Compatible? | ||
---|---|---|---|
ForgeRock Identity Cloud |
|
||
ForgeRock Access Management (self-managed)
|
|
||
ForgeRock Identity Platform (self-managed) |
|
Connectors that support pass-through authentication
The following connectors support pass-through authentication using the AuthenticateOp
interface by default:
All Scripted Groovy-based connectors are capable of pass-through authentication if the AuthenticateScript.groovy script is implemented, but the only default implementation is the ScriptedSQL connector. For more information, refer to Authenticate script and Authenticate operation.
|
Properties
Property | Usage |
---|---|
System Endpoint |
Required. Name of the connector to the third-party service that performs authentication. |
Object Type |
The OpenICF object type for the object being authenticated. Default: |
Identity Attribute |
The username attribute for authentication. Default: |
Password Attribute |
The password attribute for authentication. Default: |
Example
The following example requires a ForgeRock Identity Platform deployment.
Before trying this example, synchronize accounts from the third-party service. The example shows a login flow that tries pass-through authentication when local authentication fails, and stores the user password when authentication with the third-party service succeeds.
In this example, the user enters their credentials with the Platform Username node and Platform Password node. The Data Store Decision node authenticates against the platform directory service. On failure, authentication passes through to the third-party service. If authentication with the third-party service is successful, the Identify Existing User node and Required Attributes Present node check for a valid user profile. The Patch Object node updates the user’s profile with the successful password:
Node connections
Source node | Outcome path | Target node |
---|---|---|
Page Node containing:
|
→ |
Data Store Decision |
Data Store Decision |
True |
Increment Login Count |
False |
Pass-through Authentication |
|
Pass-through Authentication |
Authenticated |
Identify Existing User |
Missing Input |
Page Node |
|
Failed |
Failure |
|
Identify Existing User |
True |
Required Attributes Present |
False |
Increment Login Count |
|
Required Attributes Present |
True |
Patch Object |
False |
Increment Login Count |
|
Patch Object |
Patched |
Increment Login Count |
Failed |
Increment Login Count |
|
Increment Login Count |
→ |
Inner Tree Evaluator |
Inner Tree Evaluator |
True |
Success |
False |
Failure |