Shibboleth Developers

[Jim Fox <>]

Ok, I’ve got a need to have my Shib IdP recognize that a user needs to change their password and direct them to a SP to do that. The password change SP is not the same SP that they tried to access at first. What I would like to have happen is for Shib to authenticate them and send them to the password change SP as an authenticated user. However, I don’t really want Shib to keep a session for them. Instead, I would prefer that once they complete the password change, they get directed to their original SP choice, bounce to the IdP, and then login with the new credentials.

So your password change SP accepts an existing SSO session as sufficient identity proof that it will change a user's password, but then does not accept that same session as proof that the user is who he or she really is.  The user must re-authenticate, using the password they just gave you, authenticated only by the old session, to get a new SSO session that is somehow more trustworthy?   

The usual dialog, which could be handled by your login plugin, says, "your old password; your new password."  Why not let your login handler take care of the whole business?

Jim