OIDC Test User Management Ideas Portal
In a non federated setup password handling is a crime. I end up with around 50 users who (most likely) all have a different password (and tend to forget them)!
If passwords are re-used/shared between individuals/departments (although it is made clear that this is disapporved of, I have no way of checking...) it becomes quite obvious that some valid account/password combination easily can be used outside our origanization. (a simple senario: an disgrunteld ex-employee, a temp? Eventhough I would imidiately delete their individual accounts, I have no idea if they know of any other valid (shared) account/password combinations. Account names are practically given...
For security reasons I want to, once in a while, or after peticular events, force a new password for all my users. As for now I can force a reset, but this way each user has to use valuable time going through the reset process using their individual CONNECTION Clients.
I prefer a setup where the Administrator can force a new (global) password to all users.
Understood - for admins, password maintenance is onerous and time-consuming, but a major benefit of federation is getting control of passwords, reduced account management time for admins, and overall higher security, so I would recommend that above anything else. It's easy to set up - we've done it in under a 1/2 hour for some customers.
With that said, we are actively working on a way for federated IMS user admins to trigger password resets on the behalf of their users, but it will not include the option to set multiple users with the same password, for security reasons.