Question about ExpiringPassword Interceptor

Ignacio Amoeiro Bosch ignacio.amoeiro at
Mon Jun 7 20:17:32 UTC 2021

Thanks scott, understood the logic.

But for some reason the interceptor is not being called.

I have the module enabled:

Module: idp.intercept.ExpiringPassword [ENABLED]

And also configured the bean shibboleth.expiring-password.Condition at conf/intercept/expiring-password-intercept-config.xml

I don't see any traces in the logs with the DateAttributePredicate.class logger.

I also tried remote debuging the jvm, and put some breakpoints at net.shibboleth.idp.profile.logic.DateAttributePredicate hasMatch method and program doesn't stop.

What can I check?

Thanks 😊

-----Mensaje original-----
De: users <users-bounces at> En nombre de Cantor, Scott
Enviado el: lunes, 7 de junio de 2021 18:12
Para: Shib Users <users at>
Asunto: DMARC ErrorRe: Question about ExpiringPassword Interceptor

On 6/7/21, 12:05 PM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at on behalf of ignacio.amoeiro at> wrote:

>    Shouldn’t it be isBefore instead of isAfter? Or I’m missing something?

The check is reversed in the flow from what you think it is. Don't overthink that part, the docs are explicit about how it works. The warning flow notes that it operates in reverse for exactly this reason, it gives me a headache.

As for it working, that's trial and error and a lot of screwing around, and having Java code to run as a test to trial out format strings and such as very useful.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list