Handling expired/expiring users after upgrading from Shib 3 to Shib 4

Jeff Chapin jeff.chapin at uni.edu
Wed Jun 21 15:16:40 UTC 2023

Prior to upgrading from Shib 3, we had shibboleth set up to handle user
authentication via LDAP, and we retrieved the user expiration date via an
attribute (this attribute was a call to a database, which allowed us to set
the format of the date returned, as well as modify the expiration based on
business rules, and allowed us to treat administratively reset users as
'expired').  The attribute was named 'passwordExpiration' -- and that's the
limit of my notes. Perhaps once I got that attribute populated, it was
simply just used and things just worked.

This was working just fine. I believe we tested this after upgrading to 4.1
and I believe it was working then, but I cannot be 100% sure.

Now that we are on 4.2, users that *should* be considered expired based on
the date, but know the value of the expired password, are allowed in
without being redirected to the password reset page.

I see some discussion on the mailing list (
http://shibboleth.net/pipermail/users/2023-January/053346.html) that
references files we don't have. I have tried changing the format of the
expiration to yyyyMMdd based on that email exchange, but no luck.

I can't seem to find documentation for Shib 4.3 for how to set up expiring
passwords -- any ideas what I seem to be missing?


Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230621/d3820c3a/attachment.htm>

More information about the users mailing list