Question about ExpiringPassword Interceptor

Ignacio Amoeiro Bosch ignacio.amoeiro at
Mon Jun 7 16:05:21 UTC 2021

Hello everyone,

Which attribute should I configure in the DateAttributePredicate (shibboleth.expiring-password.Condition) ? The date when the password expires, right? For example the msDS-UserPasswordExpiryTimeComputed from Active Directory?

I'm testing it, and i'm unable to get it working. I have configured it with an offset of -P15D (I want the user be warned 15 days before the password expires).

I have check the logic in the DateAttributePredicate class implementation:

if (Instant.from(dateTimeFormatter.parse(dateString)).plus(systemTimeOffset).isAfter(now)) {
return true;

Shouldn't it be isBefore instead of isAfter? Or I'm missing something?

Because   (passwordExpired - 15) won't be after currentdate if current date is, for example,  5 days before password expires.

current date: 10/08/2021
password expiration date: 16/08/2021
password expiration date minus offset (15): 01/08/2021
01/08/2021 is not after 10/08/2021

What I'm missing?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list