bypassing some authN fails?
dabantz at alaska.edu
Thu May 25 17:16:47 EDT 2017
Preferable to just ignore that specific account expired state; that results in desired effect without having to craft a tool for a service IAM doesn't run then asking user to do something. Also has less impact on the services run by others that "use" expired flag for their access control.
David.Bantz at me.com
David.Bantz at Alaska.edu
> On May 25, 2017, at 12:07, Daniel Fisher <dfisher at vt.edu> wrote:
>> On Thu, May 25, 2017 at 2:23 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>> Is it feasible in IdP 3.3 to intercept an authN failure against AD LDAP due to expired account (error 49, data 701) and treat as though successful authN? ("701" data is supposed to be returned ONLY if the supplied credentials were otherwise valid, so this does not bypass expired password, locked account, or bad password, but only those attempts that would have been successful but for the account being marked expired.)
> So do you want to ignore this particular account state or will you be sending these users somewhere to unexpire their account in a self-service fashion?
> --Daniel Fisher
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users