Disable Change Password Prompt On First Login?

Dean Flinter shared this idea 16 days ago
Idea Logged

Hi,

We use pass through authentication a lot so we need to make sure that our user Yellowfin passwords match those of the DB

When we create a new user, they are prompted to change their password on first login and despite plenty of warnings to not do so, many do, requiring us to reset passwords back

Is it possible to disable this prompt on a user's first login? Would save a lot of headaches!


Thanks

Dean

Comments (8)

photo
1

Hello Dean,

it sounds like you are using a Single Sign On solution, is that correct?

If so, you may want to review this document for information on setting 'no password' configuration. https://wiki.yellowfinbi.com/display/yfcurrent/Single+Sign+on

I hope that helps. Please let me know if you have any more questions.

Have a great day,

David

photo
1

Hi David,

We're not actually using SSO although it is something we will move to in the future.

As such, for native sign on is there any way to disable this prompt?


Thanks

Dean

photo
1

Hi David,

The last post from here: https://community.yellowfinbi.com/topic/configure-welcome-screen is workable for us. Just wondering though if there is a way to change the default behaviour so PasswordExpired =0?

If not and if there is no other way of doing this, then manually changing it on new user creation is fine


Thanks

Dean

photo
1

Hi Dean,

You can set the PasswordExpired=0 with a Web Service call. I don't know of a way to set it as the default however. That login page is not part of the password expiration system, so I don't think it will help with your initial request.

I can get that sent up to the product team as an enhancement to the product though. Would you like me to do that?

Regards,

David

photo
1

Hi David,

Yeah I think what I was really asking was if there was a way to change it so that new accounts are not set to password expired by default. In my mind I was thinking that this screen was part of the user welcome and if it could be disabled, it would mean users did not have to change their password on first login. I realise now I was just asking to set password expiry to 0 for new accounts.

If you could raise the idea of giving control of password expiry for new accounts, to Admin accounts, that would be great


Thanks

Dean

photo
1

Hi Dean,

I believe if the user is logging in with a pre-generated token it should bypass that page, but I will need to test this to make sure. Otherwise if they are logging in with a pre-set password it is a security best practice to have the user set their own password. I'm happy to submit this as an enhancement, but I think there will be security issues to consider before implementing it.

I'll let you know what I find out about the token.

David

photo
1

Hi David,

Apologies for the delay.

I appreciate the security concerns. Normally we would do it that way but since we use pass through authentication on our data sources, we need to keep the Yellowfin and database passwords in sync. We don't normally allow users to know the database endpoints as we do not want them to have access to the database outside of Yellowfin. As such we have to centrally manage passwords. We securely share creds with access expiry so we're happy enough to use this system for now.

As I mentioned, we do plan to use SSO in the future. What has stopped us so far is the fact that we use Azure AD, which YF only supports via SAML. This would mean making our instance web accessible and all the security changes that would entail. We just haven't gotten around to doing all that.

On the enhancement request itself, technically what I am requesting is possible by manually editing each user when you create them and gives rise to all the security concerns you mentioned. All I am asking is that Administrators have the ability to change the default behaviour if desired, with the default for this option being the current setup.


Thanks

Dean

photo
1

Thank you Dean. As this does not have any private or secure information in it I have converted it to an Idea in our Community so people can find it and comment on it. Further updates will be posted here also.

One possible work around would be to have an admin perform the first login as the user and go through the password setting process before the user does. Again, I don't think I can recommend this for security reasons.

Regards,

David