Migrating service accounts from password to client credentials authentication
Learn how to migrate your service accounts from password-based authentication to client credentials authentication.
Service accounts automatically authenticate with an API for machine-to-machine (M2M) communication. According to the OAuth 2.0 standard, client credentials are the recommended authentication method for these service accounts. Migrating service accounts from password to client credentials in Reltio enhances security and streamlines authentication processes. Here's an overview of key concepts, the migration process, and its implications.
Passwords vs. Client credentials
Password-based service accounts: These accounts are regular non-SSO Reltio users who use single-factor authentication to log in. They adhere to your organization’s password policy, including requirements for password complexity, rotation, and other security measures.
Client credentials service accounts: Often referred to as Client IDs and secrets or API Keys, these aren't user accounts and aren't subject to your organization’s password policy. Secrets are randomly generated long and complex strings, making them intrinsically more secure than passwords created by humans.
Impact of not migrating
As Reltio enhances the security posture for all customers, Single Sign-On (SSO) becomes the default recommended authentication method. In scenarios where SSO is not enabled for certain users, Multi-Factor Authentication (MFA) becomes mandatory. This enhanced security pattern requires manual intervention to authenticate and obtain access tokens, making these methods unsuitable for machine-to-machine operations.
Client credentials are the only single-factor authentication method allowed for machine-to-machine communication.
Migration to client credentials
Here are the steps to migrate:
-
Identifying Service Accounts: Identify existing service accounts that need to be migrated.
-
Creating client credentials: Follow the process to create new client credentials in Reltio.
-
Changing authentication at the origin: Update the authentication mechanisms in your systems to use the new client credentials.
-
Monitoring: Implement monitoring to ensure the new client credentials function correctly and securely.
Temporary exemption
Immediately after releasing the MFA capabilities, Reltio will make a best-guess effort to automatically identify your service accounts and include them under the SERVICE_ACCOUNTS group. This group will be automatically excluded from MFA, allowing quicker adoption of the MFA feature without disrupting existing automated processes. However, this process is not deterministic. Reltio uses behavioral analysis to identify these service accounts, so you will still need to manually analyze them.
Need Help?
If you encounter any issues or have questions during this process do contact us, see topic Need some help?.