Password Change Solutions

David Langenberg davel at uchicago.edu
Tue Nov 6 13:35:08 EST 2018


We considered the in-line approach when we last re-did our account recovery
flows, but ultimately decided against it. The number of external
dependencies that are involved here when a password changes was great enough
that the in-line approach would've had a negative impact on our HA
capabilities.  Instead what we did was a hybrid approach where the IdP would
authenticate the individual (or attempt to authenticate the individual via
various means (Password, SMS/Email OTP, KBA, etc) and then cause the IdP to
send a SAML response (minus any authncontextclassrefs) to our password
change app rather than the app the user was trying to go.  Works decently,
though that does leave the user with a SSO session that does not have any
AuthnContextClassRefs on it.  For SPs that don't care about that field, the
user continues normally and happily.  For SPs that do care about class-ref,
the IdP will step-up as necessary (assuming the user now knows their
password).  The hard edge in this scenario that does bite us infrequently,
but enough to be visible in support metrics, is the SP that cares about
AuthnContextClassRef, but doesn't put what it wants in the AuthnRequest.  

 

Dave

 

--

David Langenberg

Asst Director, Identity Management

The University of Chicago

 

From: users <users-bounces at shibboleth.net> On Behalf Of Koch, Ken
Sent: Tuesday, November 6, 2018 11:34 AM
To: users at shibboleth.net
Subject: Password Change Solutions

 

Greetings all. I'm working through conceptual changes to our login flow that
removes as many external dependencies as possible, consolidating everything
on easily portable IDPs. One function I'm stuck on is forcing a password
change on an expired password. Has anyone done this with IDP flows and
Spring/Velocity? I know how to trap the expired password and proceed with a
custom flow but I'm hoping to implement the password change screen right
there, rather than link out to an external page. Is anyone doing this?

 

____________________________________________________________

Ken Koch | Infrastructure Architect, Enterprise Engineering

Washington University in St. Louis

4480 Clayton Ave., Campus Box 8218 | Clayton, MO 63110

w 314-935-8315 | c 314-223-7256 | ken at wustl.edu <mailto:ken at wustl.edu> 

 

 

 

  _____  

The materials in this message are private and may contain Protected
Healthcare Information or other information of a sensitive nature. If you
are not the intended recipient, be advised that any unauthorized use,
disclosure, copying or the taking of any action in reliance on the contents
of this information is strictly prohibited. If you have received this email
in error, please immediately notify the sender via telephone or return mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181106/22ffc76f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5694 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20181106/22ffc76f/attachment.p7s>


More information about the users mailing list