Problem/Motivation

This is a follow-up issue for #2968598: User with simplesaml_auth can't change password
Currently, if the user has just registered through SAML authentication they have to reset their password to be able to change their information as they didn't know their password.
This is really a very bad user experience and doesn't make sense at all.
Also what if the SAML authentication does not provide the email for the users, in this case how the users should reset their passwords?

Proposed resolution

I suggest following the one-time-login-link way when the user is logged in for the first time only. In this case, the user will be able to set a new password and edit their information for the first time only without entering the current password. Then if they forgot the password they can reset it in the usual way.

User interface changes

The current password field will be hidden when the user is logged in for the first time, and they should be redirected to the edit profile page instead of the view profile page if the setting (Allow SAML users to set Drupal passwords) is checked.

CommentFileSizeAuthor
#11 users_dont_know_their_passwords-3112380-11.patch9.44 KBanas_maw
#10 users_dont_know_their_passwords-3112380-10.patch9.45 KBanas_maw
#9 users_dont_know_their_passwords-3112380-9.patch9.45 KBanas_maw
#8 users_dont_know_their_passwords-3112380-8.patch9.21 KBanas_maw
#4 users_dont_know_their_passwords-3112380-4.patch9.2 KBanas_maw

Comments

Anas_maw created an issue. See original summary.

anas_maw’s picture

anas_maw commented
Title: User with simplesaml_auth don't know there password » Users with simplesaml_auth don't know their passwords after the registration
pdenooijer’s picture

pdenooijer commented

Seems like a good approach to me! The code implementation should be very strict though as this could have serious security implications if done wrong.

anas_maw’s picture

anas_maw commented
Status: Active » Needs review
Related issues: +#3089049: Don't set the access time of newly registered users, +#2473875: Convert uses of $_SESSION to symfony session retrieved from the request
StatusFileSize
new users_dont_know_their_passwords-3112380-4.patch9.2 KB

Hello, this is an initial patch to start from, I think it still needs some minor tweaks.
This patch will allow users to set their password when the logged in for the first time only using the password reset mechanism.
Also, I added a new option (Force set Drupal password) which will force users to set the Drupal site password when they logged in for the first time.

Notes:
- Please apply this patch #3089049-2: Don't set the access time of newly registered users or use the development version of the external_auth module to get the expected results.
- When Drupal 8.9.0 is up we should change the way we use php $_SESSION, please check #2473875: Convert uses of $_SESSION to symfony session retrieved from the request

anas_maw’s picture

anas_maw commented
anas_maw’s picture

anas_maw commented
anas_maw’s picture

anas_maw commented
Parent issue: » #2968598: User with simplesaml_auth can't change password
anas_maw’s picture

anas_maw commented
Priority: Normal » Major
StatusFileSize
new users_dont_know_their_passwords-3112380-8.patch9.21 KB

Remove deprecated code from the patch
Please review

anas_maw’s picture

anas_maw commented
StatusFileSize
new users_dont_know_their_passwords-3112380-9.patch9.45 KB

Fixes...

anas_maw’s picture

anas_maw commented
StatusFileSize
new users_dont_know_their_passwords-3112380-10.patch9.45 KB

Fixes ....

anas_maw’s picture

anas_maw commented
StatusFileSize
new users_dont_know_their_passwords-3112380-11.patch9.44 KB

More fixes