ADFS: Configure your password change

by albandrod, posted in ADFS, ADFS 3.0, Uncategorized

Users are always allowed or forced to change their passwords, and sometimes this actions increment the amount of work to IT. However, in ADFS 3.0 include a feature that enable a self-service portal password change available for your end-users.

So this post tries to follow the steps to configure it:

  • First, enable the Password Change Portal:Open your AD FS Management tool on the primary server, navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy.
  • Test change password portal: browse to https://sts.domain.com/adfs/portal/updatepassword you will similar to the adfs login page where you can update your password
  • Enable password expiry notification: You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. To do this it is necessary to configure a Claim Rule:

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”%5D => issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays”, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl”), query = “{0};”, param = c1.Value);

  • Finally: you can tweak your ADFS login page to show a link to the change password portal

That’s all!

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization

 

Advertisement

2 thoughts on “ADFS: Configure your password change

  1. Hi,
    I would like to add a password expiration warning on the ADFS portal once the user enters his credential if it’s about to expire. Do you think it’s possible?
    If so, how?

    Like

    Reply

    1. Interesting approach Martin, you can customize the pages in ADFS, but my concern will be how will you manage to put that info for each user. Of course you can get the lastpassworddatechange from AD or O365, but then, you will need to add some intelligence in some part in order to show that info to the user…

      I do not tried yet if it’s possible to include some C language or PowerShell into ADFS page, maybe it’s possible. You can try the approach 🙂

      Let me know anything else!

      Like

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s