Adaxes

Can I prevent select accounts with expired passwords from being able to change it in the web interface?

0 votes

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages but it won't redirect if the password is expired, it will ask them to change it. This is a bit of a loophole for us as we require dual factor and use saml to accomplish this.

by (2.3k points)
0

Hello Mark,

Sorry for the confusion, but we are not quite sure what exactly you mean regarding the redirect. Could you, please, post here or send us (support@adaxes.com) screenshots of the pages faced by a user with expired password when they attempt to log in?

by (288k points)
0

I don't have any screenshots but we setup saml on the web interface. We only have it setup though on certain web interfaces and not on the common sign in. We are using Azure for our saml setup which means it redirects to azure for authentication.

by (2.3k points)

1 Answer

0 votes
by (288k points)
selected by
Best answer

Hello Mark,

Thank you for clarifying. Unfortunately, there is no possibility to interfere the process in any way for any type of users. The setting is global for the Web interface and whoever attempts to login will be taken to the SAML identity provider.

0

We are not trying to interfere with the saml. We are trying to prevent password changes through the web interface when the password has expired. It is not sending them to the saml provider but allowing a password change.

by (2.3k points)
0

Hello Mark,

Sorry for the confusion, but we are not sure what exactly you mean. When SAML SSO is enabled for a Web interface, Adaxes sign in page is not displayed for login to the Web interface. Instead, users directly get to the SAML identity provider page. If password change is requested after entering credentials of a user with expired password there, that is not something we can assist you with as it is not a part of Adaxes. However, the SAML identity provider support team might be able to help you with the corresponding settings.

If you face the below after entering credentials of a user with expired password, this behavior is be design and cannot be changed. image.png

by (288k points)
0

Thank you for confirming that it can not be changed.

FYI. The common sign-in does not change to the SAML identity provider page if you enable SAML for specific interface pages.

by (2.3k points)
0

Hello Mark,

This behavior is expected. It is only possible for a Web interface to use the sign in settings of the Common Sign In page, but not vise versa.

by (288k points)

Related questions

0 votes
1 answer
How can I prevent Help Desk from being able to enable accounts?

We have a customized the help desk security role to allow only resetting passwords and unlocking accounts. We don't want them to be able to enable accounts that are disabled ... writing to certain "account options"? It seems that its an all or nothing setting.

asked Nov 14, 2019 by mark.it.admin (2.3k points)
0 votes
1 answer
I cant see where I can allow multi selection of user objects to then edit in the web interface.

I would like to change department without a script just yet if possible on multiple accounts. If I cant do this then I will entertain custom script Thanks :)

asked Nov 23, 2021 by will17 (350 points)
0 votes
1 answer
I suspect the answer is no, is the system able to produce a report for weak passwords?

We are trying to do a report on weak passwords, but i dont think adaxes is able to?

asked Mar 16, 2022 by marcwoollard (40 points)
0 votes
0 answers
Can I remove the Adaxes part from Web Interface URLs?

By default, Web Interface URLs look like the following: http://host.company.com/Adaxes/HelpDesk. For the URLs not to contain the Adaxes part: On the computer where Adaxes ... C:\Program Files\Softerra\Adaxes 3\Web Interface by default. Click OK. Restart IIS.

asked Oct 30, 2019 by Adaxes (560 points)
0 votes
1 answer
Is it possible to only allow account unlocks from the web interface?

Is it possible to only allow a user to unlock their account from the web interface? We have a group of Mac users who we'd like to be able to unlock their accounts through the web but use a different service for changing their passwords.

asked Jun 30, 2020 by scoutcor (120 points)
3,541 questions
3,232 answers
8,225 comments
547,802 users