--- title: Pass-through Authentication node description: Authenticates an identity through a connector to a third-party service. component: auth-node-ref version: latest page_id: auth-node-ref::passthrough-authentication canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/passthrough-authentication.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "User Profiles", "Migration", "Password", "Synchronization"] page_aliases: ["auth-node-passthrough-authentication.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/passthrough-authentication.html section_ids: example: Example availability: Availability connectors_that_support_pass_through_authentication: Connectors that support pass-through authentication outcomes: Outcomes configuration: Configuration --- # Pass-through Authentication node Authenticates an identity through a connector to a third-party service. This lets you migrate user profiles without forcing users to reset their passwords, or retain a third-party service indefinitely as the canonical store for authentication credentials. Before you use the node: * Configure the connector to the third-party service. Find more information in [Connector reference](https://docs.pingidentity.com/openicf/connector-reference/). * If you plan to collect credentials in the identity repository for users, synchronize accounts from the third-party service. Find more information in [Sync identities](https://docs.pingidentity.com/pingoneaic/identities/sync-identities.html). Use this node after collecting the authentication credentials. Implement a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) earlier in the journey. Pass the credentials to this node to authenticate the identity against the service. ## Example The following example requires a Ping Identity Platform deployment. Before trying this example, synchronize accounts from the third-party service. The example shows a login flow that tries pass-through authentication when local authentication fails, and stores the user password when authentication with the third-party service succeeds. In this example, the user enters their credentials with the [Platform Username node](platform-username.html) and [Platform Password node](platform-password.html). The [Data Store Decision node](data-store-decision.html) authenticates against the platform directory service. On failure, authentication passes through to the third-party service. If authentication with the third-party service is successful, the [Identify Existing User node](identify-existing-user.html) and [Required Attributes Present node](required-attributes-present.html) check for a valid user profile. The [Patch Object node](patch-object.html) updates the user's profile with the successful password: ![Pass-through authentication that updates user credentials](_images/trees-node-passthrough-authentication-example-platform.png) > **Collapse: Node connections** > > **List of node connections** > > | Source node | Outcome path | Target node | > | ------------------------------------------------------------- | ------------- | --------------------------- | > | Page Node containing:- Platform Username > > - Platform Password | → | Data Store Decision | > | Data Store Decision | True | Increment Login Count | > | | False | Pass-through Authentication | > | Pass-through Authentication | Authenticated | Identify Existing User | > | | Missing Input | Page Node | > | | Failed | Failure | > | Identify Existing User | True | Required Attributes Present | > | | False | Increment Login Count | > | Required Attributes Present | True | Patch Object | > | | False | Increment Login Count | > | Patch Object | Patched | Increment Login Count | > | | Failed | Increment Login Count | > | Increment Login Count | → | Inner Tree Evaluator | > | Inner Tree Evaluator | True | Success | > | | False | Failure | ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes 1 | | Ping Identity Platform (self-managed) | Yes | 1 This functionality requires that you configure AM as part of a [Ping Identity Platform deployment](https://docs.pingidentity.com/platform/8.1/sample-setup/). ## Connectors that support pass-through authentication The following connectors support pass-through authentication using the [`AuthenticateOp` interface](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-authenticate.html) by default: * [LDAP connector](https://docs.pingidentity.com/openicf/connector-reference/ldap.html) * [CSV file connector](https://docs.pingidentity.com/openicf/connector-reference/csv.html) * [Database Table connector](https://docs.pingidentity.com/openicf/connector-reference/dbtable.html) * [Microsoft Graph API Java connector](https://docs.pingidentity.com/openicf/connector-reference/ms-graph-api.html) * [Scripted SQL connector](https://docs.pingidentity.com/openicf/connector-reference/scripted-sql.html) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | All [Scripted Groovy](https://docs.pingidentity.com/openicf/connector-reference/groovy.html)-based connectors are capable of pass-through authentication if the `AuthenticateScript.groovy` script is implemented, but the only default implementation is the ScriptedSQL connector. Learn more in [Authenticate script](https://docs.pingidentity.com/openicf/connector-dev-guide/scripts/script-authenticate.html) and [Authenticate operation](https://docs.pingidentity.com/openicf/connector-dev-guide/operations/operation-authenticate.html). | ## Outcomes * `Authenticated` * `Missing Input` * `Failed` ## Configuration | Property | Usage | | ------------------ | ---------------------------------------------------------------------------------------- | | System Endpoint | Required. Name of the connector to the third-party service that performs authentication. | | Object Type | The OpenICF object type for the object being authenticated.Default: `account` | | Identity Attribute | The username attribute for authentication.Default: `userName` | | Password Attribute | The password attribute for authentication.Default: `password` |