Skip to content

Configuring IdentityNow to Use Pass-Through Authentication

Pass-through authentication (PTA) enables users to sign in to IdentityNow using their network password, which is usually tied to Active Directory or another primary account. This enables you to enforce password expiration policies within IdentityNow for users' network passwords.

IdentityNow supports the following authentication sources:

  • Active Directory

  • Microsoft Entra ID

  • OpenLDAP

  • SunOne (Oracle Directory Server Enterprise Edition)

  • Web Services

  • Okta

  • Oracle Netsuite

  • Salesforce

Because PTA is configured on an identity profile, you must edit the authentication settings on specific identity profiles to support this option.

If your PTA source is configured for Password Management, users can change their network password and their IdentityNow password simultaneously. They can also use PTA to change sync group passwords.


PTA authentication changes may be affected by lockout settings. Go to Global > Security Settings > Lockout Management and review or change the Incorrect Password Lockout Settings to match your PTA source and any related sync groups.

Choosing an Authentication Source

Once your site is in production and users are in the system, you should not change your authentication source without consulting support. Changing the authentication source may disable users from authenticating into IdentityNow or any federated apps to which they have access.

Best Practice

After configuring a source for pass-through authentication, use your sandbox to test any changes you make to the source to ensure users do not lose the ability to sign in to the production site.

Configuring an Authentication Source

When initially setting up your IdentityNow configuration, you can choose to not select an authentication source. When you are ready to set your authentication source, only sources that can perform pass-through authentication will be visible during configuration.


Before you can configure an authentication source in your IdentityNow org and related accounts, they must have been aggregated at least once.

To configure an authentication source:

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select an identity profile to edit.

  3. Under Sign-In Method, select Directory Connection.

  4. If this source will be used in a sync group, you must assign at least one application per authentication source.

  5. In Authentication Source, select a source that corresponds to the identities loaded for the identity profile you selected in step two. Select Save.

Once your authentication source is saved, users will be able to sign in to IdentityNow using their network password tied to that source. If you have one or more apps that use the PTA source as their account source, changing the password on these apps will cause their IdentityNow password to change.

Setting Temporary Passwords and Password Expiration Policies

When you configure PTA for an identity profile, IdentityNow can enforce the associated source's password expiration policies.

You might want to use this functionality if:

  • You have a new user and want them to change their password the first time they sign in to IdentityNow.

  • A user has forgotten their password and can't use any of the self-service password reset methods.

  • A user's network password has expired, but they usually work outside of the corporate domain or on a computer that doesn't allow them to change their domain password.

In these cases, you can set a one-time password for your user within your authenticated source and configure them to have to change their password at the next login.

Best Practice

Set a matching expiration period on the policy associated with your authentication source. For instructions, refer to Defining Password Expiration Settings.