Handling expired/expiring users after upgrading from Shib 3 to Shib 4

Jeff Chapin jeff.chapin at uni.edu
Wed Jun 28 19:45:58 UTC 2023

Ok, I think I may be using the wrong terminology.

Is it wrong of me to expect the ExpiringPasswordIntercept to function, even
if we are using LDAP authentication? I would have thought that the
authentication method would be independent.


On Wed, Jun 28, 2023 at 2:40 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> > Is there some way to get the ldap login flow to use the passwordExpiring
> > Attribute? Or preferably to get the ExpiringPasswordIntercept to work
> with
> > Password auth?
> Login flows do not have any relationship to interceptors in that sense.
> The interceptors that run are based on the postAuthenticationFlows profile
> setting, which is something controlled based on relying party configuration
> and/or metadata, and has no connection back to how authentication is done
> in most cases. (*)
> -- Scott
> (*) An exotic Predicate could be coded up to examine authentication state
> to decide how to respond but that’s after the interceptor is running, not
> part of deciding whether to run.


Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230628/e6e51ea4/attachment.htm>

More information about the users mailing list