Skip to content

Configuring Pass-Through Authentication

Pass-through authentication (PTA) enables users to sign in to Identity Security Cloud using their network password, which is usually tied to Active Directory or another primary account. This enables you to enforce password expiration policies within Identity Security Cloud for users' network passwords.

Identity Security Cloud supports the following authentication sources:
Active Directory Microsoft Entra ID OpenLDAP SunOne (Oracle Directory Server Enterprise Edition)
Web Services Okta Oracle Netsuite Salesforce

Because PTA is configured on an identity profile, you must edit the authentication settings on specific identity profiles to support this option. If the user has multiple accounts, the first account that Identity Security Cloud encountered will be used for authentication.

If your PTA source is configured for Password Management, users can change their network password and their Identity Security Cloud password simultaneously. They can also use PTA to change sync group passwords.

Note

PTA authentication changes may be affected by lockout settings. Go to Global > Security Settings > Lockout Management and review or change the Incorrect Password Lockout Settings to match your PTA source and any related sync groups.

Choosing an Authentication Source

Once your site is in production and users are in the system, you should not change your authentication source without consulting support. Changing the authentication source may disable users from authenticating into Identity Security Cloud or any federated apps to which they have access.

Best Practice

After configuring a source for pass-through authentication, use your sandbox to test any changes you make to the source to ensure users do not lose the ability to sign in to the production site.

Configuring an Authentication Source

When initially setting up your configuration, you can choose to not select an authentication source. When you are ready to set your authentication source, only sources that can perform pass-through authentication will be visible during configuration.

Prerequisite

Before you can configure an authentication source in your Identity Security Cloud org and related accounts, they must have been aggregated at least once.

To configure an authentication source:

  1. Go to Admin > Identity Management > Identity Profiles.

  2. Select an identity profile to edit.

  3. Under Sign-In Method, select Directory Connection.

  4. If this source will be used in a sync group, you must assign at least one access application per authentication source.

  5. In Authentication Source, select a source that corresponds to the identities loaded for the identity profile you are editing.

  6. Select Save.

Once your authentication source is saved, users will be able to sign in using their network password tied to that source. If you have access apps that use the PTA source as their account source, changing the password on these access apps will cause their Identity Security Cloud password to change.

Setting Temporary Passwords and Password Expiration Policies

When you configure PTA for an identity profile, Identity Security Cloud can enforce the associated source's password expiration policies.

You might want to use this functionality if:

  • You have a new user and want them to change their password the first time they sign in to Identity Security Cloud.

  • A user has forgotten their password and can't use any of the self-service password reset methods.

  • A user's network password has expired, but they usually work outside of the corporate domain or on a computer that doesn't allow them to change their domain password.

In these cases, you can set a one-time password for your user within your authenticated source and configure them to have to change their password at the next login.

Best Practice

Set a matching expiration period on the policy associated with your authentication source. For instructions, refer to Defining Password Expiration Settings.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.