Adding forced password reset?

Paul Hethmon paul.hethmon at
Thu Apr 17 12:54:17 EDT 2014

On Apr 17, 2014, at 12:18 PM, Wessel, Keith <kwessel at<mailto:kwessel at>> wrote:

Is that going to be my best option? Or is there a better way to go? Keep in mind that our password reset page is, in fact, Shibboleth-protected. So, whatever I do would need to not stop the user if the service requesting authentication was the password reset page.

Having the change password page behind SSO can leave a hole open to the forced password change. User logs in, gets Shib session, directed to change password. Simply ignores it and accesses their original target. Previous session handler sends them to the original target. Just be aware it's a circumstance you have to allow for.


Paul Hethmon
Chief Software Architect
paul.hethmon at<mailto:paul.hethmon at>

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list