Expiring password conundrum

Lipscomb, Gary glipscomb at csu.edu.au
Thu Oct 10 17:37:29 EDT 2019

Hi Steve,

We are using the expiring-password intercept. 
The user arrives at the expiring-password.vm page and is presented with:

Charles Sturt University
Your password will be expiring soon!

To create a new password now, go to Change my password.

Your login will proceed in 20 seconds or you may click here to continue.

Copyright 2019 Charles Sturt University CRICOS 00005F

When they click on the "create a new password now" link they are asked to authenticate again. This is the bit I'm failing to understand. They have already authenticated when trying to access the original site, but the IdP hasn't proceeded to complete the process and redirect to it. Its waiting for the 20 second meta-refresh.

I'll have a look at the whitelisting in the meantime.



-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Losen, Stephen C (scl)
Sent: Friday, 11 October 2019 00:43
To: Shib Users <users at shibboleth.net>
Subject: RE: Expiring password conundrum

Hi Gary,

Are you using the expiring-password intercept ? It runs after the user has authenticated on the IDP. So if this intercept displays a page with a link to your password change app, then the user has an IDP session and gets in without authenticating again on the IDP. Within the intercept config you need to "whitelist" the entityID of your password change app to avoid showing the page again, i.e., behave as if the user's password is not about to expire.

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu    434-924-0640

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Lipscomb, Gary
Sent: Wednesday, October 9, 2019 11:36 PM
To: Shib Users <users at shibboleth.net>
Subject: Expiring password conundrum

Hi all,

We have configured Shibboleth IdP (v3.4.6) to check for expiring passwords triggered by our openLDAP password policy.
All works as planned. The user is warned that their password is expiring and given the options to

1. click on the link to change their password 2. clink on the link to continue to the original site 3. wait 20 seconds before being sent to the original site.

The issue we are seeing is that if a user clicks on the change password link they are presented with another IdP login page since our change password page is protected by Shibboleth and also the original request hasn't completed (its waiting 20 seconds before meta-refresh). If they enter their credentials again they get the expiring password message scenario.

Is there a way to complete the original IdP login process when clicking on the link to change password so the user doesn't have to re-enter their credentials.

If they have an expired, or locked password due to login failures we provide a link to another site not protected via Shibboleth.



Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology Charles Sturt University Panorama Avenue Bathurst NSW 2795
Tel: +61 2 6338 6533
Email: glipscomb at csu.edu.au |www.csu.edu.au


This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018 Consider the environment before printing this email.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list