Configuring Authentication for the PAM Application
The PAM application supports three types of authentication:
Important: Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.
OAuth2.0
OAuth 2.0 is an industry-standard protocol for authorization. It provides a variety of authorization flows for web applications, desktop applications, mobile phones, and devices.
The PAM application supports several grant types for OAuth 2.0:
Refresh Token
This grant type is used by clients in order to exchange a refresh token for a new access token when the existing access token has expired. This allows the PAM application to get a new session when the current session expires, without having to re-authenticate as frequently. This grant type is commonly used together with Authorization Code to prevent a user from having to log in several times per day.
Note: Before any OAuth 2.0 token requests can be initiated, a Client ID and secret are necessary. Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.
For more information see OAuth 2.0 Refresh Token.
To configure Refresh Token authentication:
-
Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.
-
Enter the Client ID for OAuth 2.0 authentication. This is obtained from your PAM solution provider.
-
Enter the Client Secret for OAuth 2.0 authentication. This is obtained from your PAM solution provider.
-
Enter the Refresh Token used to generate an access token. This is obtained from your PAM solution provider.
Client Credentials
The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.
Note: Before any OAuth 2.0 token requests can be initiated, a Client ID and secret are necessary. Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.
For more information see OAuth 2.0 Client Credentials Grant.
To configure Client Credentials authentication:
-
Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.
-
Enter the Client ID for OAuth 2.0 authentication. This is obtained from your PAM solution provider.
-
Enter the Client Secret for OAuth 2.0 authentication. This is obtained from your PAM solution provider.
JWT
A JWT (JSON Web Token) securely authenticates the connection to an external application to perform operations as required. A JWT contains encoded JSON objects, and is signed using a signing algorithm to ensure that the claims cannot be altered after the token is issued. These tokens have a specific structure consisting of a header, payload, and signature.
JWTs can be used as OAuth 2.0 Bearer Tokens to encode all relevant parts of an access token into the access token itself instead of having to store them in a database.
You can use the Additional Payload field for systems where authentication may require additional parameters along with mandatory fields.
For example, if the PAM system expects the client_id
and client_secret
in the payload, then it must be provided in the Additional Payload field. The Additional Payload field accepts additional body parameters in JSON format.
For more information, see JWT Profile for OAuth 2.0 Access Tokens.
To configure JWT authentication:
-
Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.
-
In the JWT Header field, you can add additional headers in JSON format if required. The header consists of the type of the token (JWT) and the signing algorithm being used. For example:
-
Enter the JWT Issuer for authorization. The Issuer is the party that issued the JWT. For example:
https://issuer.example.com/
-
Enter the JWT Subject for authorization. The Subject is the user for which the access token is being requested. For example:
145234573
-
Enter the JWT Audience. This is the recipient for which the JWT is intended, and is takes the form of an array of case-sensitive strings, each containing a StringOrURI value.
-
You can add Additional Payload details as needed. See above for details about Additional Payload values.
-
Enter the Private Key and the corresponding Private Key Password to be used to sign the JWT.
{
"typ" : "JWT",
"alg" : "RS256"
}
Password
The Password grant type is a way to exchange a user's credentials for an access token. Although this type is supported, it is considered less secure than other grant types.
You can use the Additional Payload field for systems where authentication may require additional parameters along with mandatory fields.
For example, if the PAM system expects the client_id
and client_secret
in the payload, then it must be provided in the Additional Payload field. The Additional Payload field accepts additional body parameters in JSON format.
For more information see OAuth 2.0 Password Grant.
To configure Password authentication:
-
Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.
-
Enter the OAuth 2.0 Username and the corresponding Password.
-
You can add Additional Payload details as needed. See above for details about Additional Payload values.
API Token
API tokens allow a user to bypass two-step verification and SSO, in order to authenticate and retrieve data, and requires only an API Token. The token is self-contained and contains all the information it needs for authentication. The token type must be included with the value. For example:
Bearer <AUTH TOKEN>
For more information see OAuth Access Tokens.
Basic Authentication
Basic Authentication is a simple method for authenticating, requiring only a Username and Password.
For Basic Authentication, it is a best practice to set up an identity within IdentityIQ specifically for performing this authentication.