Thursday, April 14, 2016

ADFS : Change the user password

As per ADFS 2012 R2 now supports Password Change (not reset) across all devices, users have had the ability to change their password since 2012 R2.

This is as simple as enabling the endpoint and then restarting the service.

Note that this does not encompass resetting the password.

Note also that you only get these values when the password is due to expire within the next 14 days. (The 14 day value is not currently configurable).

As per the above link:

"All you need to do is to add the following claims rule to the issuance claims when sending tokens to Azure AD/Office 365.

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime“]
=> issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime“, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays“, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl“), query = “{0};”, param = c1.Value);

With the above rule we are sending 3 additional claims
  • Password Expiration Time: This is the time when the user’s password will expire
  • Password Expiration Days: This is the number of days remaining prior to the password expiry
  • Password Change URL: This is the URL of the password change URL from ADFS"
That's all well and good with WS-Fed & SAML but what happens with OpenID Connect / OAuth where you don't have the ability to add claims rules?

With Server 2016 TP4, OpenID Connect functionality is enabled but you still can't add claims rules to web applications. You can only add them to web API.

So what happens in TP4 when "Change Password" is enabled and we use OpenID Connect from a web application.

We get two new entries:


Previously, the order was upn / name / c_hash.

Now we have upn / name / pwd_url / pwd_exp / c_hash.

The pwd_url is the URL of the "Change Password" page.

The pwd_exp value is the number of seconds until the password expires (approx. 4 days).

If you want to add this link permanently to the ADFS login page, refer:

I love the SSPR functionality but my users authenticate with AD FS.

Note that this is for the Azure AD SSPR link but there is nothing stopping you changing the wording from "Can't access your account?" to "Change your password" and setting the URL to the ADFS  "Change Password" URL as above.

Code sample for this here.

Enjoy!

No comments: