Educause Security Discussion mailing list archives
Re: Password change redirect limitations
From: Frank Barton <bartonf () HUSSON EDU>
Date: Thu, 8 Oct 2020 09:16:48 -0400
I worked with support, and with our account team, and they came to the conclusion that this is "expected behavior" - I have suggested that they update their documentation SAML is on our roadmap Frank On Thu, Oct 8, 2020 at 8:59 AM Rodolfo Nunez <rnunez () barnard edu> wrote:
Frank, We used to sync passwords from AD to Google many years ago and we had similar issues. If you follow the steps under "Prevent users from changing their Google passwords <https://support.google.com/a/answer/2611842>", G suite should honor your request. Support should help you or at least let you know that this is the expected behavior. I agree that moving to SAML will eliminate this problem and others so you should consider that path for the future. Good luck, Rodolfo -- Rodolfo Nunez Director, IT Infrastructure Barnard College, Columbia University 212-854-1319 rnunez () barnard edu www.barnard.edu/bcit On Tue, Oct 6, 2020 at 11:53 AM Jones, Mark B <Mark.B.Jones () uth tmc edu> wrote:If I am reading this correctly you are not using SAML. I think that would resolve this, obviate the need to sync passwords at all, and simplify your user support for password management. *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Frank Barton *Sent:* Tuesday, October 6, 2020 8:54 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Password change redirect limitations ***** EXTERNAL EMAIL ***** Hi Folks, I've just spent the last couple weeks going back and forth with Google Support, and our Higher Education Google person, and I figure I should let these groups know the result of this. Background: - We sync passwords from Active Directory to G-Suite using the Password Sync Tool on all Domain Controllers - We have the appropriate settings from https://support.google.com/a/answer/2611842 <https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_2611842&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=HFw97xa0C9fPftyPL9TmuI6lUt9XBlixELV98rQEb8M&e=> configured to "Prevent users from changing their Google passwords" (support has verified this) - users should be directed to our internal password change/reset page Problem: - When a Google account is flagged as "Require password change: On" the password change is NOT redirected, and process as a Google Password change Sub-Problem: - When an account is flagged by Google's automatic process for compromise (eg. "Leaked Password") the wording of the message states: "This Leaked password alert is to inform you that Google has suspended an account in your domain due to a potentially leaked password." but this isn't the case - the account isn't suspended - it is set as "Require password change" I am hoping that we can either get the behaviour changed - or get the documentation updated to reflect reality. Frank -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=mWXyG0jBdIceJYzokjgxrh12e_tkM2c9Y-94bz7Uuuw&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Password change redirect limitations Frank Barton (Oct 06)
- Re: Password change redirect limitations Jones, Mark B (Oct 06)
- Re: Password change redirect limitations Rodolfo Nunez (Oct 08)
- Re: Password change redirect limitations Frank Barton (Oct 08)
- Re: Password change redirect limitations Rodolfo Nunez (Oct 08)
- Re: Password change redirect limitations Jones, Mark B (Oct 06)