Identity Cloud

Pass-through auth (PTA) with Microsoft Entra ID (Azure AD)

While this use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 30 minutes

In this use case, you enable pass-through authentication (PTA) to Microsoft Entra ID (formerly Azure AD) and let Identity Cloud capture the Microsoft Entra ID password for future logins.

Goals

In completing this use case, you will learn how to do the following:

  • Use the Identity Cloud admin UI

  • Create an authentication journey enabling pass-through authentication for Microsoft Entra ID users provisioned to Identity Cloud

  • Capture passwords on successful pass-through authentication

Prerequisites

Before you start work on this use case, make sure you have:

  • A basic understanding of:

    • The Identity Cloud admin UI

    • Journeys

    • Nodes

    • Pass-through authentication

  • Completed the use case to Provision users from Microsoft Entra ID (Azure AD)

  • A test user in Microsoft Entra ID and provisioned in Identity Cloud with the password to sign in as the test user

  • Access to your Identity Cloud development environment as an administrator

  • Access to your Microsoft Entra ID tenant environment as an administrator

Tasks

Task 1: Sign on to Microsoft Entra ID as the test user

This confirms you have the test user credentials and the test user is active in Microsoft Entra ID:

  1. Browse to the sign-on page for Microsoft Azure.

  2. Sign on as the test user.

  3. If this is the first time the test user signed on, update the password and record the new password for pass-through authentication.

Do not enable multi-factor authentication for the test user.

For this use case, the test user must be able to authenticate with only a username and password.

Task 2: Confirm the test user account in Identity Cloud

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Application > Identities > Manage.

  3. Find the Identity Cloud test user in the list.

    If the test user doesn’t have a Identity Cloud account yet, provision the account from Microsoft Entra ID.

Check in

At this point, you have:

Signed on as the test user and recorded the credentials.

Confirmed the test user is provisioned in Identity Cloud.

Task 3: Create a pass-through authentication journey

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Journeys > + New Journey and set at least the following before clicking Save:

    Field Value

    NAME

    PTA with password capture

    Identity Object

    managed/alpha_user

  3. Drag the following nodes onto the journey editor canvas:

    • Page node containing:

      • Platform Username node

      • Platform Password node

    • Data Store Decision node

    • Passthrough Authentication node

    • Identify Existing User node

    • Required Attributes Present node

    • Patch Object node

    • Increment Login Count node

    • Inner Tree Evaluator node

  4. Connect the nodes, clicking Save from time to time to keep your work:

    Pass-through authentication journey layout
    Source node Outcome path Target node

    Start (person icon)

    Page node

    Page node containing:

    • Platform Username node

    • Platform Password node

    Data Store Decision node

    Data Store Decision node

    True

    Increment Login Count node

    False

    Passthrough Authentication node

    Passthrough Authentication node

    Authenticated

    Identify Existing User node

    Missing Input

    Page node

    Failed

    Failure node

    Identify Existing User node

    True

    Required Attributes Present node

    False

    Failure node

    Required Attributes Present node

    True

    Patch Object node

    False

    Increment Login Count node

    Patch Object node

    Patched

    Increment Login Count node

    Failed

    Increment Login Count node

    Increment Login Count node

    Inner Tree Evaluator node

    Inner Tree Evaluator node

    True

    Success node

    False

    Success node

Task 4: Adjust node settings for the journey

Adjust the settings for the specified nodes as follows:

  1. Configure these Page node settings and click Save:

    Field Value

    Page Header

    Key: en, Value: Sign on

    Page Description

    Key: en, Value: This page uses pass-through authentication.

    All other fields

    Accept the default settings, leaving the fields blank.

  2. Configure these Passthrough Authentication node settings and click Save:

    Field Value

    System Endpoint

    The name of the connector for the provisioning application.

    To find the name of the connector:

    1. Log in to the Identity Cloud admin UI as an administrator.

    2. Select Native Consoles > Identity Management.

    3. On the Identity Management page, select Configure > Connectors.

    4. Find the MSGraphAPI Connector.

      It is named like the application, but the connector name does not include spaces; for example, an application named Microsoft Entra ID has a connector named MicrosoftEntraID.

    Object Type

    Enter User.

    To find the name of the object type:

    1. On the Identity Management page, select Configure > Connector Name > Object Types.

    2. Find the available types in the list.

    Identity Attribute

    Keep userName.

    Password Attribute

    Keep password.

  3. Configure these Identify Existing User node settings and click Save:

    Field Value

    Identifier

    Keep userName.

    Identity Attribute

    Enter userName.

  4. Configure these Required Attributes Present node settings and click Save:

    Field Value

    Identity Resource

    managed/alpha_user

  5. Configure these Patch Object node settings and click Save:

    Field Value

    Patch As Object

    Enable.

    Identity Resource

    managed/alpha_user

    Identity Attribute

    Keep userName.

  6. Configure these Inner Tree Evaluator node settings and click Save:

    Field Value

    Tree Name

    Select ProgressiveProfile.
Check in

At this point, you have:

Signed on as the test user and recorded the credentials.

Confirmed the test user is provisioned in Identity Cloud.

Prepared a journey and connected the nodes.

Configured passthrough authentication nodes.

Task 5: Adjust password policy settings

When Identity Cloud updates a password, it checks the password policy to prevent weak passwords. Pass-through authentication has no way of ensuring a remote password is valid according to the Identity Cloud policy.

Default Microsoft Entra ID password policies don’t necessarily match the default Identity Cloud password policy. Adjust the Identity Cloud password policy appropriately to avoid rejecting valid Microsoft Entra ID passwords:

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Security > Password Policy.

  3. Adjust the settings to avoid rejecting valid Microsoft Entra ID passwords.

  4. Click Save.

This changes the password policy for all identities in the realm.

Task 6: Allow public client flows in Microsoft Entra ID

Update the Microsoft Entra ID application Identity Cloud uses for provisioning. This change allows the Identity Cloud connector to authenticate to Microsoft Entra ID with the username and password:

  1. Sign in to the Microsoft Entra ID tenant as administrator.

  2. Select Home > App registrations > Microsoft Entra ID application.

  3. In the App registrations page, change Authentication > Advanced settings > Allow public client flows to Yes.

  4. Click Save.

Check in

At this point, you have:

Signed on as the test user and recorded the credentials.

Confirmed the test user is provisioned in Identity Cloud.

Prepared a journey and connected the nodes.

Configured passthrough authentication nodes.

Aligned password policy settings.

Allowed public client flows in Microsoft Entra ID.

Validation

You are ready to validate the pass-through authentication journey.

Steps

Validate authentication in each of the following ways.

Default login before

Check the user cannot log in to Identity Cloud. Identity Cloud doesn’t have the user’s password:

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Journeys > Login and copy the Preview URL.

  3. Paste the URL into an incognito window.

    Use incognito mode for testing to avoid caching issues. No current sessions interfere with your test.

    The login page for the tenant displays.

  4. Log in as the test user.

    Log in fails.

Pass-through authentication

Log in with the user’s Microsoft Entra ID credentials, providing the username and password. After Identity Cloud verifies the credentials in Microsoft Entra ID, it stores the captured password in the user’s profile:

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Journeys > Pass-through authentication with password capture and copy the Preview URL.

  3. Paste the URL into an incognito window.

    The login page for the pass-through authentication journey displays.

  4. Log in as the test user.

    Behind the scenes, the journey proceeds as follows:

    1. The Data Store Decision node fails to authenticate the user.

    2. The Passthrough Authentication node tests the username and password through the connector to Microsoft Entra ID.

      You provided the correct credentials, so the test succeeds. The node has confirmed the password is valid.

    3. The Identify Existing User node finds the provisioned test user in Identity Cloud.

    4. The Required Attributes Present node checks the shared node state has the managed/alpha_user attributes needed for a minimally complete user profile.

    5. The Patch Object node updates the test user profile with the required attributes, capturing the valid password.

    6. The Increment Login Count node updates the login count.

    7. The Inner Tree Evaluator node invokes the ProgressiveProfile journey.

    8. The journey succeeds and the test user profile displays.

Default login after

Identity Cloud captured the user password during the pass-through authentication journey. The user can now log in to Identity Cloud directly:

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Select Journeys > Login and copy the Preview URL.

  3. Paste the URL into an incognito window.

    The login page for the tenant displays.

  4. Log in as the test user.

    Log in succeeds.

Video of validation

Explore further

Reference material

Reference Description

Admin UIs

Get to know the Identity Cloud admin UI.

Azure AD provisioning

Learn about connecting Identity Cloud to Microsoft Entra ID.

Pass-through authentication

Read about alternative pass-through authentication methods.

Tutorial: Register an app with Microsoft Entra ID

Refer to this Microsoft Entra ID documentation for details.

Nodes used

The following nodes are listed in the order they appear in the journey.
Copyright © 2010-2024 ForgeRock, all rights reserved.