Authentication

Authentication is the act of confirming a user’s identity, for example, by providing a set of credentials.

In Identity Cloud, you primarily use journeys to create your authentication flows; However, you can also set up an external application to act as an identity provider.

Since there are many ways to implement authentication based on your needs, use cases vary and can include:

Item	Description
Single sign-on (SSO)	SSO lets authenticated users access multiple independent services from a single login session by storing user sessions as HTTP cookies. You can configure Identity Cloud to let users use SSO with other applications, or let users of other applications use SSO with Identity Cloud. This includes creating applications to use popular federation protocols such as SAML and OAuth 2.0/OIDC.
Multi-factor authentication (MFA)	MFA is an authentication technique that requires users to provide multiple forms of identification when authenticating. MFA provides a more secure method for users to access their accounts with the help of a device.
Pass-through authentication (PTA)	PTA lets you validate passwords with a remote service. This allows you to retain a remote service for authentication or to migrate passwords to Identity Cloud as part of authentication (just-in-time synchronization).

Item

Description

Single sign-on (SSO)

SSO lets authenticated users access multiple independent services from a single login session by storing user sessions as HTTP cookies. You can configure Identity Cloud to let users use SSO with other applications, or let users of other applications use SSO with Identity Cloud.

This includes creating applications to use popular federation protocols such as SAML and OAuth 2.0/OIDC.

Multi-factor authentication (MFA)

MFA is an authentication technique that requires users to provide multiple forms of identification when authenticating.

MFA provides a more secure method for users to access their accounts with the help of a device.

Pass-through authentication (PTA)

PTA lets you validate passwords with a remote service. This allows you to retain a remote service for authentication or to migrate passwords to Identity Cloud as part of authentication (just-in-time synchronization).

The use cases in this section focus on authentication:

Use case	Description
Login with MFA using push notifications	Authenticate a user with MFA by setting up the ForgeRock Authenticator application for push notification on a smartphone.
Salesforce as SP (SAML)	Configure SSO using SAML federated identities with Identity Cloud as the Identity provider (IDP) and Salesforce as the Service provider (SP). Specifically, you configure Identity Cloud as the IDP for Salesforce using SAML.
Microsoft Entra ID (Azure AD) as OpenID provider	Configure Identity Cloud to be a relying party (RP), or client, with Microsoft Entra ID (formerly known as Azure AD) as the OpenID provider (IDP). You also create a journey that lets end users log in to Identity Cloud optionally using Microsoft Entra ID.
Okta as RP (OIDC)	Configure Okta to be the RP with Identity Cloud as the IDP.
Pass-through auth (PTA) with Microsoft Entra ID (Azure AD)	Enable pass-through authentication (PTA) to Microsoft Entra ID and let Identity Cloud capture the Microsoft Entra ID password for future logins.

Use case

Description

Authenticate a user with MFA by setting up the ForgeRock Authenticator application for push notification on a smartphone.

Salesforce as SP (SAML)

Configure SSO using SAML federated identities with Identity Cloud as the Identity provider (IDP) and Salesforce as the Service provider (SP).

Specifically, you configure Identity Cloud as the IDP for Salesforce using SAML.

Microsoft Entra ID (Azure AD) as OpenID provider

Configure Identity Cloud to be a relying party (RP), or client, with Microsoft Entra ID (formerly known as Azure AD) as the OpenID provider (IDP).

You also create a journey that lets end users log in to Identity Cloud optionally using Microsoft Entra ID.

Okta as RP (OIDC)

Configure Okta to be the RP with Identity Cloud as the IDP.

Pass-through auth (PTA) with Microsoft Entra ID (Azure AD)

Enable pass-through authentication (PTA) to Microsoft Entra ID and let Identity Cloud capture the Microsoft Entra ID password for future logins.