Pass-through Authentication node

Authenticates an identity through a connector to a third-party service.

This lets you migrate user profiles without forcing users to reset their passwords, or retain a third-party service indefinitely as the canonical store for authentication credentials.

Before you use the node:

Configure the connector to the third-party service.

For details, refer to Sync identities.
If you plan to collect credentials in the identity repository for users, synchronize accounts from the third-party service.

For details, refer to Sync identities.

Use this node after collecting the authentication credentials. For example, use the Platform Username node and the Platform Password node to collect the username and password.

Pass the credentials to this node to authenticate the identity against the service.

Compatibility

Product	Compatible?
ForgeRock Identity Cloud	Yes
ForgeRock Access Management (self-managed)	Yes
ForgeRock Identity Platform (self-managed)	Yes

Product

Compatible?

ForgeRock Identity Cloud

Yes

ForgeRock Access Management (self-managed)

Yes

ForgeRock Identity Platform (self-managed)

Yes

Connectors that support pass-through authentication

The following connectors support pass-through authentication using the AuthenticateOp interface by default:

All Scripted Groovy-based connectors are capable of pass-through authentication if the AuthenticateScript.groovy script is implemented, but the only default implementation is the ScriptedSQL connector. For more information, refer to Authenticate script and Authenticate operation.

Outcomes

Authenticated
Missing Input
Failed

Properties

Property Usage

Property	Usage
System Endpoint	Required. Name of the connector to the third-party service that performs authentication.
Object Type	The ICF object type for the object being authenticated. Default: `account`
Identity Attribute	The username attribute for authentication. Default: `userName`
Password Attribute	The password attribute for authentication. Default: `password`

System Endpoint

Required. Name of the connector to the third-party service that performs authentication.

Object Type

The ICF object type for the object being authenticated.

Default: account

Identity Attribute

The username attribute for authentication.

Default: userName

Password Attribute

The password attribute for authentication.

Default: password

Example

Before trying this example, synchronize accounts from the third-party service. The example shows a login flow that tries pass-through authentication when local authentication fails, and stores the user password when authentication with the third-party service succeeds.

In this example, the user enters their credentials with the Platform Username node and Platform Password node. The Data Store Decision node authenticates against the platform directory service. On failure, authentication passes through to the third-party service. If authentication with the third-party service is successful, the Identify Existing User node and Required Attributes Present node check for a valid user profile. The Patch Object node updates the user’s profile with the successful password:

Pass-through authentication that updates user credentials

Node connections

Table 1. List of node connections
Source node	Outcome path	Target node
Page Node containing: Platform Username Platform Password	→	Data Store Decision
Data Store Decision	True	Increment Login Count
Data Store Decision	False	Pass-through Authentication
Pass-through Authentication	Authenticated	Identify Existing User
	Missing Input	Page Node
	Failed	Failure
Identify Existing User	True	Required Attributes Present
Identify Existing User	False	Increment Login Count
Required Attributes Present	True	Patch Object
Required Attributes Present	False	Increment Login Count
Patch Object	Patched	Increment Login Count
Patch Object	Failed	Increment Login Count
Increment Login Count	→	Inner Tree Evaluator
Inner Tree Evaluator	True	Success
Inner Tree Evaluator	False	Failure