- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-14-2025 02:12 AM
Hi everyone
Currently our instance is synchronized with the AD through the LDAP Server, Source and SSO Sourcer fields, the client needs to maintain the synchronization of this data in other auxiliary fields and desynchronize the users from the AD so that they can access the instance locally. Is this feasible taking into account the passwords of each user?
Thank you very much and best regards.
Solved! Go to Solution.
- Labels:
-
Architect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-14-2025 09:28 AM
Cleaning all that stuff up is not necessary.
Back to the problem, I guess you should do a few things:
- define a role and assigned it to all users who are allowed to log on locally (preferably through group membership, of course).
For the sake of this example let's name the role "u_local_principal" and the group "Local Principals" - Go to Adaptive Authentication -> Filter Criteria -> Role Filter Criteria and create a new record, where "Condition" will be [ "Role" "is" "u_local_principal" ].
For the sake of this example let's name the new filter criteria "Local Principals"
To be frank you might also go to Adaptive Authentication -> Filter Criteria -> Group Filter Criteria to create a group based filter criteria, but role can be used in more places throughout the platform, so I'd make the settings role based. - Go to Adaptive Authentication -> Authentication Policies -> All Policies and open record with name "Allow Non Local Login Users"
- Modify the "Policy Inputs" related list by adding the Filter Criteria defined @ point 2 - "Local Principals".
- Open record "Allow Non Local Login Users" in related list "Policy Conditions" and update field Condition by adding an "OR" to it: [ "Local Principals" "is" "true" ].
So the final Condition would look like:[ "Authentication Scheme" "is not" "Username and Password" ]
or [ "Local Principals" "is" "true" ]
After this, granted that there are no other custom rules that nullify the one just configured, those users who are made members of group "Local Principals" and thus obtain role "u_local_principal" should be able to log in locally with username or password.
Hint: if you want to be able to distinguish between real "User name or password invalid" errors and ones caused by Authentication Policies, you can go to Adaptive Authentication -> Authentication Policies -> Properties and change property "Error message to be displayed to the user when login fails due to authentication policy failure" so that it will be some different recognizable text.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-14-2025 06:24 AM
I have created a test flow to unsynchronize users from AD by leaving the user's LDAP Server, Source, Federated ID and SSO Sourcer fields empty (to desynchronize them from the AD) through an Update User Record and then creating a password and setting it in the user field to later send it through email. The problem I have is exactly what you tell me, when I try to access with the user data and the password from the email I can't log in, I have accessed the xml of the user form and in the "user_password" field the password that I generate is saved correctly. The error is caused by adaptive authentication/password recovery that I have not disabled, where is it done?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-14-2025 09:28 AM
Cleaning all that stuff up is not necessary.
Back to the problem, I guess you should do a few things:
- define a role and assigned it to all users who are allowed to log on locally (preferably through group membership, of course).
For the sake of this example let's name the role "u_local_principal" and the group "Local Principals" - Go to Adaptive Authentication -> Filter Criteria -> Role Filter Criteria and create a new record, where "Condition" will be [ "Role" "is" "u_local_principal" ].
For the sake of this example let's name the new filter criteria "Local Principals"
To be frank you might also go to Adaptive Authentication -> Filter Criteria -> Group Filter Criteria to create a group based filter criteria, but role can be used in more places throughout the platform, so I'd make the settings role based. - Go to Adaptive Authentication -> Authentication Policies -> All Policies and open record with name "Allow Non Local Login Users"
- Modify the "Policy Inputs" related list by adding the Filter Criteria defined @ point 2 - "Local Principals".
- Open record "Allow Non Local Login Users" in related list "Policy Conditions" and update field Condition by adding an "OR" to it: [ "Local Principals" "is" "true" ].
So the final Condition would look like:[ "Authentication Scheme" "is not" "Username and Password" ]
or [ "Local Principals" "is" "true" ]
After this, granted that there are no other custom rules that nullify the one just configured, those users who are made members of group "Local Principals" and thus obtain role "u_local_principal" should be able to log in locally with username or password.
Hint: if you want to be able to distinguish between real "User name or password invalid" errors and ones caused by Authentication Policies, you can go to Adaptive Authentication -> Authentication Policies -> Properties and change property "Error message to be displayed to the user when login fails due to authentication policy failure" so that it will be some different recognizable text.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-15-2025 12:48 AM
Thank you very much for your help, I will apply everything you have told me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-15-2025 04:23 AM
You're most welcome, I hope it works out for you 🙂
