Adding forced password reset?
Cantor, Scott
cantor.2 at osu.edu
Thu Apr 17 12:57:37 EDT 2014
On 4/17/14, 12:54 PM, "Paul Hethmon" <paul.hethmon at clareitysecurity.com>
wrote:
>
>Having the change password page behind SSO can leave a hole open to the
>forced password change. User logs in, gets Shib session, directed to
>change password. Simply ignores it and accesses their original target.
>Previous session handler sends them to the original target. Just be aware
>it's a circumstance you have to allow for.
Yeah, "force" is something only the authentication system can impose, but
reminding is what we do. My custom handler contribution includes a
submodule that detects password age based on a resolved attribute and
drops a cookie to track reminders every so many hours.
-- Scott
More information about the users
mailing list