expiring-password intercept flow configuration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

expiring-password intercept flow configuration

Losen, Stephen C. (scl)-2
Hi folks,

I'm running IDP 3.3.2 and I am looking at repurposing the expiring-password intercept flow to remind our students when they have required tasks to complete.  (Might be nice if there was a more general purpose flow for doing this.)

As a first cut, I just wanted to trigger the flow without changing it. In relying-party.xml I added 'expiring-password' to DefaultRelyingParty:

<bean parent="SAML2.SSO" p:postAuthenticationFlows="#{{'context-check', 'expiring-password'}}" />

In conf/intercept/expiring-password-intercept-config.xml I changed p:resultIfMissing to "false" figuring that would cause the expiring password page to display (we don't have a "passwordExpiration" attribute).

But I got this error:
ERROR [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:129] - Profile Action PopulateProfileInterceptorContext: Configured interceptor flow intercept/expiring-password not available for use

After comparing 'context-check' and 'expiring-password' entries in config files I noticed in conf/intercept/profile-intercept.xml that "intercept/expiring-password" was not listed in the "shibboleth.AvailableInterceptFlows".  The comment in the file indicates that this is not necessary, but the other intercept flows are listed there so I copied the 'context-check' line and changed the copy to
<bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
and that did the trick.  The expiring password message now displays.

Was this omission in the config deliberate, and if so, why?

Was my solution correct?

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: expiring-password intercept flow configuration

Cantor, Scott E.
> Was this omission in the config deliberate, and if so, why?

The omission is due to you having upgraded from an older release that didn't include that feature. New features that depend on changes to protected configuration files can never automatically be assumed to work. That's why we provide the latest files for comparison after any upgrade.

The flow descriptor lists are the most annoying part of the current configuration from a feature deployment point of view, and will probably get a review in V4.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]