[IdP] What password is stored on automatic user provisioning?
idp
Web icon
Forge component by Rui Barbosa
Application Type
Traditional Web

I'm using the IdP module with Azure AD as Identity Provider. 

When users are auto-provisioned, what password is stored in Outsystems?
I can tell from the System/Users table that something is stored, but it's not the Microsoft password, as I can't use this to sign in to other Outsystems apps.

Judging from the code in the IdP module, it would seem as though nothing is stored, since the Passsword attribute is never given a value:

So, is it some kind of default password?

Solution

Hi @Johan Åström,

As you were able to check on the code, when the user is created, the password is not set for the user. In fact, the IdP component is not able to get the user password since the password is only entered on the login page of the external Identity Provider.

What I suspect might have happened in your example is that the user that you are authenticating with the IdP component already existed. In that case, only the name, email but not the password are updated.
If the user already had a password set, it will still be there on the password field with the platform salted hash.

Regards,

mvp_badge
MVP

Hi Johan,

The User entities in Systems is shared by OutSystems or External Users from the other SSO.

If it is an OutSystems User the password attribute is set and is always encrypted. But when we are using external SSO, the users are only a bind for the real users stored in the external system.

So, in this case, no password will be stored on the OutSystems side, only in the SSO. It is the responsibility of the SSO provider you are using to do the proper authentication and when we receive the callback in OutSystems we do the login directly without the need to know the password.


best regards

Fabio




I see, however, when users are auto-provisioned by the IdP, I can see a hashed string in the password attribute of the created user in the Users table, so a password is clearly generated and stored.

The reason I need to know this is because I want the users of the organization I'm working with to be able to authenticate with basic auth to e.g. REST API:s that I'm exposing in the application using their Microsoft credentials; this authentication has to be done with an Outsystems user, and therefore I would like the provisioned OS user to mirror the AD user in both Username and Password.


Solution

Hi @Johan Åström,

As you were able to check on the code, when the user is created, the password is not set for the user. In fact, the IdP component is not able to get the user password since the password is only entered on the login page of the external Identity Provider.

What I suspect might have happened in your example is that the user that you are authenticating with the IdP component already existed. In that case, only the name, email but not the password are updated.
If the user already had a password set, it will still be there on the password field with the platform salted hash.

Regards,

You're spot on - upon investigating, it turns out somebody had manually created a password for the provisioned user.

Thank you for your input!

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.