Bug 50594 - (Expired) Password change before login not possible with SAML login
(Expired) Password change before login not possible with SAML login
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-3-errata
Assigned To: Florian Best
Julia Bremer
: 49336 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2019-12-04 16:05 CET by Valentin Heidelberger
Modified: 2020-03-03 14:28 CET (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): External feedback, Usability
Max CVSS v3 score:
best: Patch_Available+

The message shown (23.22 KB, image/png)
2019-12-04 16:05 CET, Valentin Heidelberger

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2019-12-04 16:05:59 CET
Created attachment 10246 [details]
The message shown

Changing a (expired) password before the login is impossible when a SAML login is used. The login just shows:

Password change required. An LDAP password change is required before login is possible 

But does not give any hint as to how to change the password.
Not sure if this is the right component, feel free to move

Steps to reproduce:
- Create a user
- Set "User has to change password on next login" in "Account" tab
- Try to login to portal/UMC with SAML with the just modified user

I don't think we should expect that end users know the difference between a SAML and non-SAML UCS login page. Therefore my suggestions are as follows in order of preference:

- Make it work with SAML login
Preferable option of course, not sure if it can be achieved

- Redirect to normal /univention/login *just for the password change* and afterwords redirect back to the SAML login page.
This would require to user to enter their new password once but I think that is okay.

- Hint towards the Self Service (if installed?)
The password change in the self service wouldn't probably because the user has to login successfully for that but at least the password reset would work, if a reset mail address or another factor has been set before.
Comment 1 Ingo Steuwer univentionstaff 2019-12-04 16:11:20 CET
AFAIR this is a regression
Comment 2 Ingo Steuwer univentionstaff 2019-12-04 16:22:25 CET
(In reply to Ingo Steuwer from comment #1)
> AFAIR this is a regression

OK, this is no regression. The current option is to click on the "login without SSO" link, try to login again and get a password change dialogue. That's not user friendly...


* simpleSAMLphp detects password expiries
* if a password is expiered, the user get's a message and is afterwards redirected to a page where a password change is possible
* default redirection should be the password change of the local portal, but the URL has to be configurable
Comment 3 Ingo Steuwer univentionstaff 2019-12-04 20:19:31 CET
*** Bug 49336 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2019-12-05 19:56:54 CET
Patch in git:fbest/50594-saml-password-expired-link.
TODO: change the link text/password expired description.
Maybe someone wants to specify what we should write here?
Comment 5 Ingo Steuwer univentionstaff 2019-12-06 12:36:19 CET

EN: "Your password is expired. Please change your password and log in again."
DE: "Ihr Passwort ist abgelaufen. Bitte ändern Sie Ihr Passwort und melden sich erneut an."

- "Your password is expired." / "Ihr Passwort ist abgelaufen." in red
- "change your password" / "ändern Sie Ihr Passwort" is linked to the configurable URL
Comment 6 Florian Best univentionstaff 2019-12-09 19:16:59 CET
The link is now configurable via the UCR variable saml/idp/password-change-url.
The default for this variable is the regular login dialog.

univention-saml (6.0.2-18)
1c08ebb5df95 | Bug #50594: display link when password is expired
421699a80229 | Bug #50594: Migrate print statements to function calls

26b8dc40dd7f | YAML Bug #50594
Comment 7 Felix Botner univentionstaff 2019-12-10 09:52:27 CET
82_saml.10_saml_password_expire fails in jenkins now

Could this be a problem with this bug?
Comment 8 Florian Best univentionstaff 2019-12-10 10:35:34 CET
(In reply to Felix Botner from comment #7)
> 82_saml.10_saml_password_expire fails in jenkins now
> https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/
> AutotestJoin/lastCompletedBuild/testReport/
> Could this be a problem with this bug?
Yes, it's because the "password expired" texts changed. Adjusted in:

ucs-test (9.0.3-122)
6e4b06e9052b | Bug #50594: adjust test case for new texts in login dialog
Comment 9 Julia Bremer univentionstaff 2019-12-10 15:03:04 CET
Translation: Fail, the text is not translated to German when the language is changed, but this didn't work before the changes either.
I created a bug for this: Bug #50619

UCR Variable : OK
URL configurable via UCR Variable: OK
Variable description: OK
Code review: OK
New password change text: OK
Easy to follow and understand: OK

Comment 10 Erik Damrose univentionstaff 2019-12-11 17:25:49 CET
reopen: the yaml does not contain the fixed package version
Comment 11 Julia Bremer univentionstaff 2019-12-11 18:10:44 CET
c1bdc77a63 Bug #50594: Update yaml

So sorry..I updated the package version field...
Comment 12 Erik Damrose univentionstaff 2019-12-18 13:33:10 CET