Expiring password conundrum
Lipscomb, Gary
glipscomb at csu.edu.au
Thu Oct 10 18:18:38 EDT 2019
Hi Keith,
The change password page is not forcing re-authentication. If I wait for the original page to complete and then use the same link for the change password then SSO kicks' in and I'm not prompted for authentication
Hi Scott,
You are right, we are not using the interceptor, just the errors codes presented by openLDAP and the standard password flow with the changes mentioned here
https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration#LDAPAuthnConfiguration-HandlingaccountstatewithOpenLDAP
Regards
Gary
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Wessel, Keith
Sent: Friday, 11 October 2019 09:08
To: Shib Users <users at shibboleth.net>
Subject: RE: Expiring password conundrum
Gary,
Any chance the password change SP is requesting forced reauthentication?
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, October 10, 2019 4:49 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Expiring password conundrum
On 10/10/19, 5:37 PM, "users on behalf of Lipscomb, Gary" <users-bounces at shibboleth.net on behalf of glipscomb at csu.edu.au> wrote:
> When they click on the "create a new password now" link they are asked to authenticate again. This is the bit I'm failing
> to understand. They have already authenticated when trying to access the original site, but the IdP hasn't proceeded to
> complete the process and redirect to it. Its waiting for the 20 second meta-refresh.
The interceptor runs after it's saved the authentication results off into the user's session, but client sessions don't get updated until the very end, so a request to a different server and the creation of a new container session will end up without knowledge that the authentication happened.
However, use of the LDAP account state approach to detecting these conditions has nothing to do with the interceptor and is a different mechanism. You said you were using account state. You probably aren't using both, or shouldn't be, anyway.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list