shibboleth-dev - Re: [Shib-Dev] Invalidating IdP Session
Subject: Shibboleth Developers
List archive
- From: Paul Hethmon <>
- To: Shibboleth Dev <>
- Subject: Re: [Shib-Dev] Invalidating IdP Session
- Date: Thu, 02 Jul 2009 01:21:02 -0400
Title: Re: [Shib-Dev] Invalidating IdP Session On 7/2/09 1:10 AM, "Jim Fox" <> wrote:
So your password change SP accepts an existing SSO session as sufficient identity proof that it will change a user's password, but then does not accept that same session as proof that the user is who he or she really is. The user must re-authenticate, using the password they just gave you, authenticated only by the old session, to get a new SSO session that is somehow more trustworthy?I trust the first password because I do validate it. I just want the user to use the new one for any RP except for the password change application. And like all users everywhere, they are not trying to change their password to start out with, they’re trying to get access to some other application. Their password has expired though and the IdP is the place that can catch that event. So, I’m not sending them to the RP they asked for originally, I’m redirecting them to the change pwd RP. Once done there, I’ll redirect them back to their original target.
The usual dialog, which could be handled by your login plugin, says, "your old password; your new password." Why not let your login handler take care of the whole business?
I suppose I could, but I have an existing strong authentication solution/application that already has everything. So that application is protected by SSO where appropriate. The idea of sending them to the password change RP is for a convenience to the user instead of giving them the dialog with the old password and new password in it.
It also allows me to use Shib with minimal customizations. I plug-in a new login handler that does this and stuff like giving them an intermediate page telling them their password will expire in X days.
Paul
-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----
God does not play dice with the universe; He plays an ineffable game of his own devising, which might be compared, from the perspective of any of the other players, to being involved in an obscure and complex version of poker in a pitch dark room, with blank cards, for infinite stakes, with a dealer who won't tell you the rules, and who smiles all the time.
-- Terry Pratchett, Good Omens
- Invalidating IdP Session, Paul Hethmon, 07/01/2009
- Re: [Shib-Dev] Invalidating IdP Session, Chad La Joie, 07/02/2009
- Re: [Shib-Dev] Invalidating IdP Session, Paul Hethmon, 07/02/2009
- RE: [Shib-Dev] Invalidating IdP Session, Peter Williams, 07/04/2009
- Re: [Shib-Dev] Invalidating IdP Session, Jim Fox, 07/02/2009
- Re: [Shib-Dev] Invalidating IdP Session, Paul Hethmon, 07/02/2009
- Re: [Shib-Dev] Invalidating IdP Session, Chad La Joie, 07/02/2009
Archive powered by MHonArc 2.6.16.