Univention Bugzilla – Bug 50594
(Expired) Password change before login not possible with SAML login
Last modified: 2020-03-03 14:28:53 CET
Created attachment 10246 [details]
The message shown
Changing a (expired) password before the login is impossible when a SAML login is used. The login just shows:
Password change required. An LDAP password change is required before login is possible
But does not give any hint as to how to change the password.
Not sure if this is the right component, feel free to move
Steps to reproduce:
- Create a user
- Set "User has to change password on next login" in "Account" tab
- Try to login to portal/UMC with SAML with the just modified user
I don't think we should expect that end users know the difference between a SAML and non-SAML UCS login page. Therefore my suggestions are as follows in order of preference:
- Make it work with SAML login
Preferable option of course, not sure if it can be achieved
- Redirect to normal /univention/login *just for the password change* and afterwords redirect back to the SAML login page.
This would require to user to enter their new password once but I think that is okay.
- Hint towards the Self Service (if installed?)
The password change in the self service wouldn't probably because the user has to login successfully for that but at least the password reset would work, if a reset mail address or another factor has been set before.
AFAIR this is a regression
(In reply to Ingo Steuwer from comment #1)
> AFAIR this is a regression
OK, this is no regression. The current option is to click on the "login without SSO" link, try to login again and get a password change dialogue. That's not user friendly...
* simpleSAMLphp detects password expiries
* if a password is expiered, the user get's a message and is afterwards redirected to a page where a password change is possible
* default redirection should be the password change of the local portal, but the URL has to be configurable
*** Bug 49336 has been marked as a duplicate of this bug. ***
Patch in git:fbest/50594-saml-password-expired-link.
TODO: change the link text/password expired description.
Maybe someone wants to specify what we should write here?
EN: "Your password is expired. Please change your password and log in again."
DE: "Ihr Passwort ist abgelaufen. Bitte ändern Sie Ihr Passwort und melden sich erneut an."
- "Your password is expired." / "Ihr Passwort ist abgelaufen." in red
- "change your password" / "ändern Sie Ihr Passwort" is linked to the configurable URL
The link is now configurable via the UCR variable saml/idp/password-change-url.
The default for this variable is the regular login dialog.
1c08ebb5df95 | Bug #50594: display link when password is expired
421699a80229 | Bug #50594: Migrate print statements to function calls
26b8dc40dd7f | YAML Bug #50594
82_saml.10_saml_password_expire fails in jenkins now
Could this be a problem with this bug?
(In reply to Felix Botner from comment #7)
> 82_saml.10_saml_password_expire fails in jenkins now
> Could this be a problem with this bug?
Yes, it's because the "password expired" texts changed. Adjusted in:
6e4b06e9052b | Bug #50594: adjust test case for new texts in login dialog
Translation: Fail, the text is not translated to German when the language is changed, but this didn't work before the changes either.
I created a bug for this: Bug #50619
UCR Variable : OK
URL configurable via UCR Variable: OK
Variable description: OK
Code review: OK
New password change text: OK
Easy to follow and understand: OK
reopen: the yaml does not contain the fixed package version
c1bdc77a63 Bug #50594: Update yaml
So sorry..I updated the package version field...