0 votes

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages but it won't redirect if the password is expired, it will ask them to change it. This is a bit of a loophole for us as we require dual factor and use saml to accomplish this.

by (1.7k points)
0

Hello Mark,

Sorry for the confusion, but we are not quite sure what exactly you mean regarding the redirect. Could you, please, post here or send us (support@adaxes.com) screenshots of the pages faced by a user with expired password when they attempt to log in?

0

I don't have any screenshots but we setup saml on the web interface. We only have it setup though on certain web interfaces and not on the common sign in. We are using Azure for our saml setup which means it redirects to azure for authentication.

1 Answer

0 votes
by (213k points)
selected by
Best answer

Hello Mark,

Thank you for clarifying. Unfortunately, there is no possibility to interfere the process in any way for any type of users. The setting is global for the Web interface and whoever attempts to login will be taken to the SAML identity provider.

0

We are not trying to interfere with the saml. We are trying to prevent password changes through the web interface when the password has expired. It is not sending them to the saml provider but allowing a password change.

0

Hello Mark,

Sorry for the confusion, but we are not sure what exactly you mean. When SAML SSO is enabled for a Web interface, Adaxes sign in page is not displayed for login to the Web interface. Instead, users directly get to the SAML identity provider page. If password change is requested after entering credentials of a user with expired password there, that is not something we can assist you with as it is not a part of Adaxes. However, the SAML identity provider support team might be able to help you with the corresponding settings.

If you face the below after entering credentials of a user with expired password, this behavior is be design and cannot be changed. image.png

0

Thank you for confirming that it can not be changed.

FYI. The common sign-in does not change to the SAML identity provider page if you enable SAML for specific interface pages.

0

Hello Mark,

This behavior is expected. It is only possible for a Web interface to use the sign in settings of the Common Sign In page, but not vise versa.

Related questions

0 votes
1 answer

We have a customized the help desk security role to allow only resetting passwords and unlocking accounts. We don't want them to be able to enable accounts that are disabled ... writing to certain "account options"? It seems that its an all or nothing setting.

asked Nov 14, 2019 by mark.it.admin (1.7k points)
0 votes
1 answer

I would like to change department without a script just yet if possible on multiple accounts. If I cant do this then I will entertain custom script Thanks :)

asked Nov 23, 2021 by will17 (310 points)
0 votes
0 answers

By default, Web Interface URLs look like the following: http://host.company.com/Adaxes/HelpDesk. For the URLs not to contain the Adaxes part: On the computer where Adaxes ... C:\Program Files\Softerra\Adaxes 3\Web Interface by default. Click OK. Restart IIS.

asked Oct 30, 2019 by Adaxes (370 points)
0 votes
1 answer

Is it possible to only allow a user to unlock their account from the web interface? We have a group of Mac users who we'd like to be able to unlock their accounts through the web but use a different service for changing their passwords.

asked Jun 30, 2020 by scoutcor (100 points)
0 votes
0 answers

Hello, I want to give the ability for the Help Desk to add a new IE trusted site. I did a Custom Commands that works well. $scriptBlock = Powershell { Import-Module Adaxes Import ... ( $Zone). The GPO name ($GPOName)will never change. It is possible to do it?

asked May 31, 2016 by tentaal (1.1k points)
2,635 questions
2,370 answers
6,286 comments
977,896 users