Handling expired/expiring users after upgrading from Shib 3 to Shib 4

Cantor, Scott cantor.2 at osu.edu
Wed Jun 28 19:40:28 UTC 2023

> Is there some way to get the ldap login flow to use the passwordExpiring IDP
> Attribute? Or preferably to get the ExpiringPasswordIntercept to work with
> Password auth?

Login flows do not have any relationship to interceptors in that sense. The interceptors that run are based on the postAuthenticationFlows profile setting, which is something controlled based on relying party configuration and/or metadata, and has no connection back to how authentication is done in most cases. (*)

-- Scott

(*) An exotic Predicate could be coded up to examine authentication state to decide how to respond but that’s after the interceptor is running, not part of deciding whether to run.

More information about the users mailing list