Re: Password change redirect limitations

[Frank Barton <bartonf () HUSSON EDU>]

I worked with support, and with our account team, and they came to the
conclusion that this is "expected behavior" - I have suggested that they
update their documentation

SAML is on our roadmap

Frank

On Thu, Oct 8, 2020 at 8:59 AM Rodolfo Nunez <rnunez () barnard edu> wrote:

> Frank,
> We used to sync passwords from AD to Google many years ago and we had
> similar issues. If you follow the steps under "Prevent users from
> changing their Google passwords
> <https://support.google.com/a/answer/2611842>", G suite should honor your
> request. Support should help you or at least let you know that this is the
> expected behavior.
> I agree that moving to SAML will eliminate this problem and others so you
> should consider that path for the future.
> Good luck,
>
> Rodolfo
>
> --
> Rodolfo Nunez
> Director, IT Infrastructure
> Barnard College, Columbia University
> 212-854-1319
> rnunez () barnard edu
> www.barnard.edu/bcit
>
>
> On Tue, Oct 6, 2020 at 11:53 AM Jones, Mark B <Mark.B.Jones () uth tmc edu>
> wrote:
>
> > If I am reading this correctly you are not using SAML.  I think that
> > would resolve this, obviate the need to sync passwords at all, and simplify
> > your user support for password management.
> >
> >
> >
> > *From:* The EDUCAUSE Security Community Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Frank Barton
> > *Sent:* Tuesday, October 6, 2020 8:54 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Password change redirect limitations
> >
> >
> >
> > ***** EXTERNAL EMAIL *****
> >
> > Hi Folks, I've just spent the last couple weeks going back and forth with
> > Google Support, and our Higher Education Google person, and I figure I
> > should let these groups know the result of this.
> >
> >
> >
> > Background:
> >
> >    - We sync passwords from Active Directory to G-Suite using the
> >    Password Sync Tool on all Domain Controllers
> >    - We have the appropriate settings from
> >    https://support.google.com/a/answer/2611842
> >    
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__support.google.com_a_answer_2611842&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=HFw97xa0C9fPftyPL9TmuI6lUt9XBlixELV98rQEb8M&e=>
> >    configured to "Prevent users from changing their Google passwords" (support
> >    has verified this) - users should be directed to our internal password
> >    change/reset page
> >
> > Problem:
> >
> >    - When a Google account is flagged as "Require password change: On"
> >    the password change is NOT redirected, and process as a Google Password
> >    change
> >
> > Sub-Problem:
> >
> >    - When an account is flagged by Google's automatic process for
> >    compromise (eg. "Leaked Password") the wording of the message states: "This
> >    Leaked password alert is to inform you that Google has suspended an account
> >    in your domain due to a potentially leaked password." but this isn't the
> >    case - the account isn't suspended - it is set as "Require password change"
> >
> >
> >
> > I am hoping that we can either get the behaviour changed - or get the
> > documentation updated to reflect reality.
> >
> >
> >
> > Frank
> >
> >
> >
> > --
> >
> > Frank Barton, MBA
> >
> > Security+, ACMT, MCP
> >
> > IT Systems Administrator
> >
> > Husson University
> >
> > PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=Lgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c&m=jCRqsxx367xKALFP2zSW6frwizJx1CtTarGJiCfJdsk&s=mWXyG0jBdIceJYzokjgxrh12e_tkM2c9Y-94bz7Uuuw&e=>
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community