bypassing some authN fails?
IAM David Bantz
dabantz at alaska.edu
Thu May 25 14:23:28 EDT 2017
Is it feasible in IdP 3.3 to intercept an authN failure against AD LDAP due
to expired account (error 49, data 701) and treat as though successful
authN? ("701" data is supposed to be returned ONLY if the supplied
credentials were otherwise valid, so this does not bypass expired password,
locked account, or bad password, but only those attempts that would have
been successful but for the account being marked expired.)
It likely seems bizarre, but here's the use case:
Our AD team adjusts account expirations as a way of managing access to some
resources. All efforts so far to promote an alternative of relying on
attributes to gate access have been rejected. The result is that many users
who are entitled to other services through the IdP fail the authN step with
a "701" - account expired message; currently they then have to contact the
support center to temporarily extend their account so they can access
services such as course registration or required testing.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170525/27e47dfb/attachment-0001.html>
More information about the users
mailing list