Password migration
The OneWelcome Identity Platform supports migrating hashed passwords from old identity and access management systems.
If the old passwords were hashed using any of the following algorithms, then migration is straightforward, and your users do not have to change their passwords:
- 3DES
- AES
- BASE64
- BLOWFISH
- CLEAR
- CRYPT
- MD5
- PBKDF2
- RC4
- SHA
- SMD5
- SSHA
- SSHA256
- SSHA384
- SSHA512
- RSSHA1
- RSMD5
Just-in-time user password migration
If the old passwords use a legacy hashing algorithm, then passwords are migrated in a process called just-in-time user password migration. This process migrates each password when users log in for the first time, and at the same time, hashes the passwords in the credential store using the latest algorithm.
The benefit of this migration process is that users don't have to change their passwords. They can continue using their existing passwords, which are now stored with a new and strong algorithm.
You can run this migration process for a defined period of time. When you migrate a satisfactory percentage of the user population, you can terminate the process, and all users will be authenticated against the OneWelcome Identity Platform credential store.
For this migration process, you must provide an API for connecting to your credential store and validating the credentials. The OneWelcome Identity Platform doesn't perform any point-to-point connection to your credential store.
How just-in-time user password migration works
First, all user data is migrated without the passwords. The complete user identity information is migrated into the identity store, including personal details, email, and so on.
When the user logs in for the first time, they enter their username and password. The OneWelcome Identity Platform uses your API to validate the credentials. If the API responds that the credentials are valid and the user is authenticated, the OneWelcome Identity Platform hashes the password and patches it for the corresponding user in the identity and credential stores. The next time that the user logs in, their credentials are verified against this credential store.
When more users log in for the first time, the process is repeated, using the API to validate their credentials, and then hashing the password and patching the user information in the OneWelcome Identity Platform stores.
