Adding forced password reset?

Paul Hethmon paul.hethmon at
Thu Apr 17 13:33:17 EDT 2014

On Apr 17, 2014, at 12:57 PM, Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:

Yeah, "force" is something only the authentication system can impose, but
reminding is what we do. My custom handler contribution includes a
submodule that detects password age based on a resolved attribute and
drops a cookie to track reminders every so many hours.

We chose to not establish an SSO session in the login handler. But we do redirect the browser to change password where they do have to authenticate for the password change. By not establishing the session, there is no way around the forced requirement. However, it does mean two authentications for the user, well three actually when they go back to their target application.

Paul Hethmon
Chief Software Architect
paul.hethmon at<mailto:paul.hethmon at>

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list