Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password change redirect limitations

From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Tue, 6 Oct 2020 15:53:23 +0000
If I am reading this correctly you are not using SAML.  I think that would 
resolve this, obviate the need to sync passwords at all, and simplify your 
user support for password management.



From: The EDUCAUSE Security Community Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Tuesday, October 6, 2020 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password change redirect limitations



**** EXTERNAL EMAIL ****

Hi Folks, I've just spent the last couple weeks going back and forth with 
Google Support, and our Higher Education Google person, and I figure I should 
let these groups know the result of this.



Background:

*       We sync passwords from Active Directory to G-Suite using the Password Sync 
Tool on all Domain Controllers
*       We have the appropriate settings from 
https://support.google.com/a/answer/2611842 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_2611842&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=HFw97xa0C9fPftyPL9TmuI6lUt9XBlixELV98rQEb8M&e=>
 
configured to "Prevent users from changing their Google passwords" (support 
has verified this) - users should be directed to our internal password 
change/reset page

Problem:

*       When a Google account is flagged as "Require password change: On" the 
password change is NOT redirected, and process as a Google Password change

Sub-Problem:

*       When an account is flagged by Google's automatic process for compromise (eg. 
"Leaked Password") the wording of the message states: "This Leaked password 
alert is to inform you that Google has suspended an account in your domain due 
to a potentially leaked password." but this isn't the case - the account isn't 
suspended - it is set as "Require password change"



I am hoping that we can either get the behaviour changed - or get the 
documentation updated to reflect reality.



Frank



-- 

Frank Barton, MBA

Security+, ACMT, MCP

IT Systems Administrator

Husson University

PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional 
participation and subscription information can be found at 
https://www.educause.edu/community 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=mWXyG0jBdIceJYzokjgxrh12e_tkM2c9Y-94bz7Uuuw&e=>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: