Hi Chris and all!
Chris, thanks for putting together the guide on integrating FreeIPA with Okta. The integration works fine except for accounts with expired passwords. Okta will allow login for an account with an expired password. Although the guide says "This is all well documented and supported within OKTA.", Okta's support team said they haven't tested the integration with FreeIPA and for OKTA to recognize the password has expired, the user has to have the pwdReset attribute set to TRUE (for expired) or FALSE (https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Yo...). I can't find the pwdReset attribute anywhere in the FreeIPA schema which will suggest me I'll have to extend it, unless Okta is willing to recognize and honor the krbPasswordExpiration attribute used in the guide. Did you or someone in the list have gotten this to work properly?
Thanks so much in advance, Guillermo
------------
From: Chris Whittle <cwhittl gmail com> To: dpal redhat com Cc: freeipa-users <freeipa-users redhat com> Subject: Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium Date: Tue, 12 Aug 2014 08:46:26 -0500
http://www.freeipa.org/page/HowTo/Integrate_With_Okta
On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal <dpal redhat com> wrote:
On 08/08/2014 04:26 PM, Chris Whittle wrote:
...
Hi all, Anybody having this issue? Thanks in advance!
GUILLERMO FUENTES SENIOR SYSTEMS ADMINISTRATOR
T: 561-880-2998 x1337
E: guillermo.fuentes@modmed.com
[image: [ Modernizing Medicine ]] https://www.modmed.com/ [image: [ Facebook ]] https://www.facebook.com/modernizingmedicine [image: [ LinkedIn ]] https://www.linkedin.com/company/modernizing-medicine/ [image: [ YouTube ]] https://www.youtube.com/user/modernizingmedicine [image: [ Twitter ]] https://twitter.com/modmed [image: [ Blog ]] https://www.modmed.com/BlogBeyondEMR [image: [ Instagram ]] https://instagram.com/modernizing_medicine
[image: [ MOMENTUM 2017 ]] https://www.eventproducers.events/momentum2017/
On Tue, Jul 25, 2017 at 11:34 AM, Guillermo Fuentes < guillermo.fuentes@modernizingmedicine.com> wrote:
Hi Chris and all!
Chris, thanks for putting together the guide on integrating FreeIPA with Okta. The integration works fine except for accounts with expired passwords. Okta will allow login for an account with an expired password. Although the guide says "This is all well documented and supported within OKTA.", Okta's support team said they haven't tested the integration with FreeIPA and for OKTA to recognize the password has expired, the user has to have the pwdReset attribute set to TRUE (for expired) or FALSE (https://support.okta.com/help/Documentation/Knowledge_ Article/Configuring-Your-LDAP-Password-Reset-Settings). I can't find the pwdReset attribute anywhere in the FreeIPA schema which will suggest me I'll have to extend it, unless Okta is willing to recognize and honor the krbPasswordExpiration attribute used in the guide. Did you or someone in the list have gotten this to work properly?
Thanks so much in advance, Guillermo
From: Chris Whittle <cwhittl gmail com> To: dpal redhat com Cc: freeipa-users <freeipa-users redhat com> Subject: Re: [Freeipa-users] Trying To Connect FreeIPA with OKTA/OneLogin/Bitium Date: Tue, 12 Aug 2014 08:46:26 -0500
http://www.freeipa.org/page/HowTo/Integrate_With_Okta
On Sat, Aug 9, 2014 at 11:31 PM, Dmitri Pal <dpal redhat com> wrote:
On 08/08/2014 04:26 PM, Chris Whittle wrote:
...
freeipa-users@lists.fedorahosted.org