Adding forced password reset?
Paul Hethmon
paul.hethmon at clareitysecurity.com
Thu Apr 17 13:33:17 EDT 2014
On Apr 17, 2014, at 12:57 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
Yeah, "force" is something only the authentication system can impose, but
reminding is what we do. My custom handler contribution includes a
submodule that detects password age based on a resolved attribute and
drops a cookie to track reminders every so many hours.
We chose to not establish an SSO session in the login handler. But we do redirect the browser to change password where they do have to authenticate for the password change. By not establishing the session, there is no way around the forced requirement. However, it does mean two authentications for the user, well three actually when they go back to their target application.
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140417/d90275ef/attachment.html
More information about the users
mailing list