Pass-through Authentication

Identity Cloud pass-through authentication lets you validate passwords with a remote service. Common use cases include:

Overview

Secure systems typically store passwords using one-way hash algorithms to make the passwords hard to crack. But, unless all systems support the same one-way hash algorithms, using this security measure alone can impede password synchronization.

A better security practice is to synchronize hashed passwords only between services that support the same password storage schemes. This ensures that the target service will always get passwords that it can read or compare. Only synchronize hashed passwords directly between services that support the same password storage schemes. Otherwise, the target service will get passwords that it cannot read or compare!

For example, Active Directory stores passwords using a hash algorithm that Identity Cloud doesn’t support. So when you import identities based on Active Directory accounts, Identity Cloud can’t synchronize the users' passwords. As a result, these users have no local credentials to authenticate to Identity Cloud.

The Identity Cloud Passthrough Authentication node uses a connector to validate credentials against the remote Active Directory service. The remote system verifies the user’s password even if Identity Cloud doesn’t support the hash algorithm.

For a list of DS schemes Identity Cloud supports, see Synchronize passwords.

Prepare for pass-through authentication

Before using pass-through authentication:

  1. Set up an Identity Cloud connector to the remote authentication service.

  2. If Identity Cloud will save a copy of the password on successful authentication, align password policies so the remote password is certain to pass Identity Cloud password validation.

  3. If you import or synchronize Identity Cloud profiles from the remote accounts, do not synchronize the passwords from the remote service to Identity Cloud.

Identity Cloud uses the local account to find the appropriate identifier, and the connector to authenticate remotely.

For details, see Sync Identities.

Migrate passwords

When you cannot synchronize hashed passwords, you can use the pass-through authentication node to capture them. The following example journey demonstrates password capture and storage.

Identity Cloud performs authentication through a connector. It also stores the captured password securely using a strong, one-way hash algorithm. Identity Cloud can then act as the service of record for authentication of that account. After the user has authenticated successfully through this journey, the user can authenticate locally in Identity Cloud. The user no longer needs to authenticate using the remote service:

passthrough sync passwords

Here’s what happens in this example journey:

  1. The Platform Username and Platform Password in the Page Node prompt the user for credentials.

  2. The Data Store Decision node attempts local authentication.

    • If authentication succeeds, the Data Store Decision node processes the authentication like the default Login journey.

    • If authentication fails, the Passthrough Authentication node attempts remote authentication.

    When configuring the Passthrough Authentication node, you must identify the connector to the remote authentication service in the node’s System Endpoint field.

  3. The Identify Existing User and Required Attributes Present nodes ensure that Identity Cloud has the data needed to update the account.

  4. The Patch Object updates the account with the password used for successful remote authentication.

    When configuring this node, be sure to select Patch As Object.

  5. The rest of the journey processes the authentication like the default Login journey.

This journey can fail when the remote password does not respect Identity Cloud policy.

This results in a Failed policy validation error displayed to the user as the Patch Object node unsuccessfully tries with a password that fails password validation for the realm:

506

To avoid this problem, align password policies so that the remote password is sure to pass Identity Cloud password validation. For details, see Password Policy.

Remote authentication

You can use the Passthrough Authentication node for remote authentication. This is useful when you can neither synchronize hashed passwords, nor use Identity Cloud as the service of record for authentication.

The example journey below does not capture the password on successful authentication. But, you could adapt the journey to capture the password. Then you could the cache authentication credentials in Identity Cloud temporarily. Identity Cloud then serves as a backup authentication service when the remote service is not available. If you adapt the journey in this way, be sure to configure the journey to authenticate periodically with the remote service, and to refresh the cached password.

The following journey demonstrates remote authentication when local authentication fails:

passthrough remote authn
  1. The Platform Username and Platform Password in the Page Node prompt the user for credentials.

  2. The Data Store Decision node attempts local authentication.

    • If authentication succeeds, the Data Store Decision node processes the authentication like the default Login journey.

    • If authentication fails, the Passthrough Authentication node attempts remote authentication.

  3. The rest of the journey processes the authentication like the default Login journey.