There are two types of password authenticators available on Identity as a Service:
● Identity as a Service passwords
– Identity as a Service passwords are manually or automatically assigned to users on Identity as a Service.
– They are used to authenticate to an application.
– They must meet the password restrictions set in the Password Authenticator settings (see Modify password authenticator settings).
● Active Directory (AD) passwords
– Active Directory (AD) passwords are passwords that have already been assigned to a user on their corporate directory and not through Identity as a Service. AD password authentication requests are sent from Identity as a Service to the password agent on the gateway. The password agent uses the password entered by the user to authenticate that user with AD.
– Active Directory passwords can be used to authenticate to an application depending on the resource rule of the application. Users with AD password can have an Identity as a Service password assigned to them. However, during authentication, the password used by the user is checked against their Active Directory account.
– AD passwords can be used to log in the same way that an Identity as a Service password is used. The user enters their AD password when prompted by Identity as a Service to log in to their account or application.
– Updates to passwords synchronized from a directory are reflected in IDaaS after directory synchronization occurs.
– The password restrictions set out by the password authenticator settings do not impact the AD passwords that can be used.
Note: RADIUS resource rules must be customized to match how Active Directory (AD) passwords are used to access the application. If the goal is for the VPN server is to authenticate the AD password directly, then the VPN server must be configured accordingly. The Identity as a Service resource rule must also be modified to have External Authentication selected as the First Factor authenticator. If the goal is to have AD passwords authenticated by Identity as a Service, Password must be selected as their first-factor authenticator for the resource rule.
The plaintext password from the client is passed to IDaaS using TLS 1.2+ to protect it with the exception of RADIUS clients configured to use MSCHAPv2 where a hash of the password is passed instead.
If the password to be authenticated is managed in your directory, the following occurs:
● The plaintext password is passed from IDaaS to your Enterprise Service Gateway. The password is protected in transit using TLS 1.2+.
● The agent on the Gateway validates the password by attempting an LDAP authentication request against your directory. The directory connection can be configured to use LDAPS.
If the password to be authenticated is managed in IDaaS, the following occurs:
● Passwords stored in IDaaS can be stored as a PBKDF2 derived value or as a cleartext password value. The cleartext password value is required if you are using MSCHAPv2 with RADIUS. In both cases, the IDaaS database is encrypted with per-tenant encryption keys.
● The password is validated by IDaaS.
For both password authentication management in your directory or in IDaaS, the authentication response is processed in IDaaS and the authentication result is returned to the client.
The password functionality available to administrators is based on their system-defined role, as described in the following table:
| Name of role | Password functionality available |
| Auditor | · View-only access to existing passwords and configured password settings. · They Assign passwords to their own account from the user portal. |
| Super Administrator | · Complete control over the passwords assigned to users (including their password history). · Modify the password authenticator settings and the Resource rules that define when passwords are used. |
| Issuance Administrator | · Complete control over the passwords assigned to Identity as a Service Issuance users (including their password history). · Modify the password authenticator settings and the Resource rules that define when passwords are used. |
| Issuance Operator | Can only reset their own password. |
| Help Desk Administrator | · Manage passwords assigned to other user accounts (including clearing the password history). · Cannot modify the password authenticator settings or Resource rules related to them. |
| User-defined roles | · Password functionality available depends on the settings of each role. · Click the name of a user-defined role to determine the level of password functionality available. |
Topics in this section: