Handle Network Failure in Delegated Authentication
To avoid these kind of situations, Oracle Identity Cloud Service provides you with a network failure handling functionality. This functionality helps users to login with Active Directory credentials even when Oracle Identity Cloud Service is not able to reach the Oracle Identity Cloud Service Active Directory (AD) Bridge.
You configure delegated authentication for a bridge in Oracle Identity Cloud Service so that a user can use their Active Directory password to authenticate into Oracle Identity Cloud Service.
If AD Bridge is not reachable, then users are unable to validate their credentials with Active Directory and therefore cannot login into Oracle Identity Cloud Service. Your Active Directory is not reachable for a number of reasons. This could be due to network connectivity between AD Bridge and Oracle Identity Cloud Service is down.
To avoid this situation, Oracle Identity Cloud Service provides the local password caching functionality to perform local authentication in case AD Bridge is not reachable. This functionality helps delegated users to login into Oracle Identity Cloud Service even if AD Bridge is not reachable. For security reasons, this password is stored in hashed form in Oracle Identity Cloud Service.
It is important to make sure that the lifetime of this cache password in Oracle Identity Cloud Service is limited. You can configure the maximum duration (5 days) you set to cache the password on Oracle Identity Cloud Service. For example, if your network connectivity is down and you have set the cache password duration to 2 days, then it will enable users to login to Oracle Identity Cloud Service for only 2 days. However, if Active Directory is still not reachable for longer than the specified duration, then you will not be able to login to Oracle Identity Cloud Service.
In order to guard against the possibility that someone can use brute force attacks to access your account, you can limit the number of unsuccessful password attempts during password caching in Oracle Identity Cloud Service. After several failed attempts, Oracle Identity Cloud Service locks your user account. There is a limit of 5 which is configurable.
-
A user cannot change their own password
-
A user cannot reset their own password by validating the token
-
A user cannot change their own email address
-
An administrator cannot change a user's password to a known value
-
An administrator cannot reset a user's password whose password is authenticated by Active Directory
However, if you recently changed a password in Active Directory, then you can login to Oracle Identity Cloud Service with that password while connectivity is down, provided you have already login to Oracle Identity Cloud Service while Active Directory was available.
Note:
Sometimes, you might encounter a system error even if you provide a correct password. This is either because the password cache is empty or because the password has expired.
Activate Local Password Caching
You must activate the local password caching functionality to enable delegated authentication users to login intoOracle Identity Cloud Service in case Microsoft Active Directory is not reachable.
- In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Delegated Authentication.
- Expand the node to the left of the AD Bridge for which you want to activate password cache.
- Turn On the Do you want to activate password cache switch.
- Set the duration you want to cache this password in Cache password duration (days).
- Select how many unsuccessful password attempts that you want during password caching in No of unsuccessful password attempts during Password Caching.
- Click Save.