Password expiration warning on Shibboleth IdP 4.0.0

Jan Oppolzer jan.oppolzer at
Fri May 22 10:02:53 UTC 2020


I'd like to warn users during logging in at the IdP that their password
is going to expire soon. Currently, only error message that the password
already expired is working well.

We have an operational attribute passwordExpirationTime in our LDAP (389
Directory Server). The IdP is obtaining that using <ReturnAttributes>*
passwordExpirationTime</ReturnAttributes> in the LDAP connector and the
attribute is defined in attribute-resolver.xml as follows:

<AttributeDefinition xsi:type="Simple" id="passwordExpiration">
  <InputDataConnector ref="myLDAP" attributeNames="passwordExpirationTime"/>

An example of passwordExpirationTime attribute value is 20200605020101Z,
i.e. yyyyMMddHHmmss'Z'.

No matter how I configure formatString in
expiring-password-intercept-config.xml, I get a warning in logs. Either
that the text could not be parsed (using default yyyyMMddHHmmss'T'):

WARN [net.shibboleth.idp.profile.logic.DateAttributePredicate:208] - 20200605020101Z is not a valid date for the configured date parser
java.time.format.DateTimeParseException: Text '20200605020101Z' could not be parsed at index 14
	at java.base/java.time.format.DateTimeFormatter.parseResolved0(

or that the IdP was unable to obtain Instant from TemporalAccessor
(using yyyyMMddHHmmss'Z', which should be working):

WARN [net.shibboleth.idp.profile.logic.DateAttributePredicate:208] - 20200605020101Z is not a valid date for the configured date parser
java.time.DateTimeException: Unable to obtain Instant from TemporalAccessor: {},ISO resolved to 2020-06-05T02:01:01 of type java.time.format.Parsed
	at java.base/java.time.Instant.from(
Caused by: java.time.temporal.UnsupportedTemporalTypeException: Unsupported field: InstantSeconds
	at java.base/java.time.format.Parsed.getLong(

I have even tried to define passwordExpiration attribute as a static
attribute with various date/time formats, but the result is still the
same. Either DateTimeParseException or UnsupportedTemporalTypeException.

I'm running Shibboleth IdP 4.0.0 on Debian 10 (Buster) with Jetty
9.4.15-1 and OpenJDK 11.0.7+10-3~deb10u1 from distribution packages.

What is really confusing me, is that on the same machine with the same
Jetty and OpenJDK, I'm able to get this working on IdP 3.4.6. So I
wonder, what's the thing I'm missing in order to get it working also
with 4.0.0.

Thanks for any tips, I don't know what to try anymore.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3458 bytes
Desc: not available
URL: <>

More information about the users mailing list