Contrib.social

Apply password policies for SSO users

Open on Drupal.org →
Created on 12 June 2023, over 1 year ago

Problem/Motivation

Sometimes the SSO users may face connection issues through exchange servers. By that time they can request Admins to change/add password which should be applicable under policies.

Steps to reproduce

In Drupal 10, Install dependent modules like externalauth and openid_connect and windows azure open id connect and make necessary settings at config.
Login as new user using Windows Azure AD button.
In People page, edit this user profile and try changing the password with "abc"
Password policies are ignored on form validation and the password is updated with "abc"

Additional Details

In D9, password policies are not ignored as we have simplesamlphp_auth module installed along with password_policy. By default, the password fields are hidden and when the "Enable this user to leverage SAML authentication" checkbox is selected, the password fields are enabled and by the time, the user record is removed auth_map table as well.

Because of this, the logic 

  // Check if user is authenticated externally.
  if (\Drupal::moduleHandler()->moduleExists('externalauth')) {
    $authmap = \Drupal::service('externalauth.authmap');
    $account = $form_state->getFormObject()->getEntity();
    $external_ids = $authmap->getAll($account->id());
    if ($external_ids) {
      return;
    }
  }

inside _password_policy_user_profile_form_validate is ignored and policies are validated.

In Drupal 10 we do not have simplesamlphp_auth module and the password fields are shown by default and the user data is validated with auth_map table. As a result of single record in the table, the above condition meets true and rest of code related to policy validation is ignored and admin is able to save a weak password for SSO users.

Proposed Solution

The workflow difference between D10 and D9 is due to simplesamlphp_auth module and adding a condition to check whether this module exists, will fix for D10.

Feature request
Status

Active

Version

4.0

Component

Code

Created by

🇮🇳India bala_28 Chennai

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024