Expiring password conundrum

Wessel, Keith kwessel at illinois.edu
Thu Oct 10 18:08:13 EDT 2019


Any chance the password change SP is requesting forced reauthentication?


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, October 10, 2019 4:49 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Expiring password conundrum

On 10/10/19, 5:37 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:

> When they click on the "create a new password now" link they are asked to authenticate again. This is the bit I'm failing
> to understand. They have already authenticated when trying to access the original site, but the IdP hasn't proceeded to
> complete the process and redirect to it. Its waiting for the 20 second meta-refresh.

The interceptor runs after it's saved the authentication results off into the user's session, but client sessions don't get updated until the very end, so a request to a different server and the creation of a new container session will end up without knowledge that the authentication happened.

However, use of the LDAP account state approach to detecting these conditions has nothing to do with the interceptor and is a different mechanism. You said you were using account state. You probably aren't using both, or shouldn't be, anyway.
-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list