Adding forced password reset?

Cantor, Scott cantor.2 at
Thu Apr 17 13:39:30 EDT 2014

On 4/17/14, 1:33 PM, "Paul Hethmon" <paul.hethmon at>
>We chose to not establish an SSO session in the login handler. But we do
>redirect the browser to change password where they do have to
>authenticate for the password change. By not establishing the session,
>there is no way around the forced requirement. However, it does mean two
>authentications for the user, well three actually when they go back to
>their target application.

Except if your authentication system is accessible in other ways for other
things, which is the norm at a university. So if it's not enforcing the
account policy, it's really not a comprehensive thing to do it in the IdP
in a lot of cases.

-- Scott

More information about the users mailing list