Adding forced password reset?
Paul Hethmon
paul.hethmon at clareitysecurity.com
Thu Apr 17 12:54:17 EDT 2014
On Apr 17, 2014, at 12:18 PM, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
Is that going to be my best option? Or is there a better way to go? Keep in mind that our password reset page is, in fact, Shibboleth-protected. So, whatever I do would need to not stop the user if the service requesting authentication was the password reset page.
Having the change password page behind SSO can leave a hole open to the forced password change. User logs in, gets Shib session, directed to change password. Simply ignores it and accesses their original target. Previous session handler sends them to the original target. Just be aware it's a circumstance you have to allow for.
Paul
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140417/4be2c3bc/attachment-0001.html
More information about the users
mailing list