Configuring IdentityNow to Use Pass-Through Authentication
Pass-through authentication (PTA) enables users to sign in to IdentityNow using their network password, which is usually tied to Active Directory or another primary account. This enables you to enforce password expiration policies within IdentityNow for users' network passwords.
IdentityNow supports the following authentication sources:
Azure Active Directory
SunOne (Oracle Directory Server Enterprise Edition)
Because PTA is configured on an identity profile, you must edit the authentication settings on specific identity profiles to support this option.
PTA authentication changes may be affected by lockout settings. Go to Global > Security Settings > Lockout Management and review or change the Incorrect Password Lockout Settings to match your PTA source and any related sync groups.
Choosing an Authentication Source
Once your site is in production and users are in the system, you should not change your authentication source without consulting support. Changing the authentication source may disable users from authenticating into IdentityNow or any federated apps to which they have access.
After configuring a source for pass-through authentication, use your sandbox to test any changes you make to the source to ensure users do not lose the ability to sign in to the production site.
Configuring an Authentication Source
When initially setting up your IdentityNow configuration, you can choose to not select an authentication source. When you are ready to set your authentication source, only sources that can perform pass-through authentication will be visible during configuration.
Before you can configure an authentication source in your IdentityNow org and related accounts, they must have been aggregated at least once.
To configure an authentication source:
Go to Identities > Identity Profiles.
Select an Identity Profile name to edit it.
Under Sign-In Method, select Directory Connection.
In Authentication Source, select a source that corresponds to the identities loaded for the identity profile you selected in step two. Select Save.
Once your authentication source is saved, users will be able to sign in to IdentityNow using their network password tied to that source. If you have one or more apps that use the PTA source as their account source, changing the password on these apps will cause their IdentityNow password to change.
If a pass-through authentication account is disabled, the user can change the account password, but the source password will not be changed. This means they will not be allowed to log in to that source. An administrator will need to enable the user to allow them to change their password.
Setting Temporary Passwords and Password Expiration Policies
When you configure PTA for an identity profile, IdentityNow can enforce the associated source's password expiration policies.
You might want to use this functionality if:
You have a new user and want them to change their password the first time they sign in to IdentityNow.
A user has forgotten their password and can't use any of the self-service password reset methods.
A user's network password has expired, but they usually work outside of the corporate domain or on a computer that doesn't allow them to change their domain password.
In these cases, you can set a one-time password for your user within your authenticated source and configure them to have to change their password at the next login.
Set a matching expiration period on the policy associated with your authentication source. For instructions, see Defining Password Expiration Settings.