Username password authentication in the Loginapp REST API

This article describes how to configure username password authentication in authentication flows of the Loginapp REST API and links to other password-related features.

LoginScreen

Username Password Authentication Step / Password-only Authentication Step

The Username Password Authentication Step is used to check username and password and is typically placed as one of the first steps within an authentication flow, working as the first authentication factor. The step identifies the user and offers the following additional features.

The same features are supported by the Password-only Authentication Step which can be used to check the password separately from a user-identifying step.

Feature/Property

Description

Policy To Check On Login

If a policy is specified, the password check step checks whether the verified password fulfills the policy. If not, the user is forced to change the password (by raising the red flag for password change).

This feature is useful when changing an existing password policy – while the policy is primarily enforced when the end-user sets a new password, this feature makes sure users with existing passwords meet the new policy after the next login.

Note: In general, it is recommended to configure the same policy as for user self-registration, password reset, and password change. This maintains a consistent level of password security.

Password Change Red Flag

This setting specifies what flag to raise after successful password verification i.e. in cases where a mandatory password change is required. Reasons for a mandatory password change may be the password policy (see above), the usage of an initial password, or alike.

The red flag causes the authentication flow to fail if no subsequent step handles it, therefore enforcing the password change in the flow. Typically the Mandatory Password Change Step handles the password change and lowers the red flag.
If deviating from the default value, make sure that the corresponding Mandatory Password Change Step handles the correct red flag.

Note the link to the voluntary password change below.

Password repositories

The service that actually checks the password is called a Password Repository in Airlock IAM and there are several password repository implementations available (the following table is not exhaustive):

Plugin

Description

Default Password Repository

Use this plugin if using the IAM database. Airlock IAM automatically loads user information – including the password hash – when identifying the user. This plugin checks the password based on the information and does not have to access the database again.

External Database Password Repository

Use this plugin, if password hashes are stored in a database different from the default IAM database. It causes extra calls to the specified database for the password check.

Default End-To-End Encryption Password Repository

Used for the password end-to-end encryption feature. See separate documentation link below.

Active Directory Password Repository

Used to check the password against a Microsoft Active Directory (MSAD).

LDAP Password Repository

Used to check the password against an LDAP directory.

RADIUS Password Repository

Checks the password by calling a RADIUS interface of a 3rd party system.

Note that it is limited to verifying passwords. Password change and policy checks are not supported.