Expire Password and Force Reset

Workflows
1

We have a use case where we wanted to be able to force a Password Change in order to apply a new Password Policy that required a greater length. We ran into issues where we could use the API to expirePassword, and the user’s status would change to PASSWORD_EXPIRED, but it would reset back to Active the next day. Furthermore, if a user was setup to use FastPass, FIDO2, or some other passwordless login, they were never prompted to change their password.

The solution we came up with:
Add User to NewPolicyGroup.

Workflow 1:
Trigger: User Added to Group
Continue if group is NewPolicyGroup
Run Custom API to Expire Password - /api/v1/users/{ID}/lifecycle/expire_password
Add User to ExpiredPasswordGroup

Workflow 2:
Trigger: 5 Min Schedule
List Group Members ExpiredPasswordGroup, Stream to Helper

Workflow 3:
Trigger: Helper Flow
Search System Logs, Descending
debugContext.debugData.requestUri eq “/api/v1/users/{ID}/lifecycle/expire_password”
Return Published Date
Search System Logs, Descending, Since Published Date
target.detailEntry.authenticatorKey eq “okta_password” and actor.id eq “{ID}”
Continue If Published is not empty
Remove User from Group ExpiredPasswordGroup

Create new Global Session Policy
Apply to ExpiredPasswordGroup
Require Password + MFA

Explanation:
When user is added to the NewPolicyGroup, the API call expires their password and adds them to the ExpiredPasswordGroup. Because they are part of this group, the new Global Session Policy will apply to them at next login, and they will be forced to login with their Password. Another Workflow checks every 5 mins for users in the group, and streams them to the 3rd Workflow. It looks in the logs for when the user’s password was expired via API, then looks in the logs again to see if they have successfully logged with the authenticator being Password since the API expiration. If they have, they’re removed from the group, and the next login is back to their original Global Session Policy. If they change their password, but then cancel the MFA Prompt, they remain in the group because they did not complete a successful login and they will be prompted the next time for their password until they fully login.

Hope this helps someone! When I have time, I’ll try and create an actual template for this process. Feel free to suggest any improvements!

2

Hi, @daniel.oldenkamp — welcome to the Workflows forum!

Your solution sounds :+1: .

Several things to consider.

Workflow 1:
Trigger: User Added to Group
Continue if group is NewPolicyGroup
Run Custom API to Expire Password - /api/v1/users/{ID}/lifecycle/expire_password
Add User to ExpiredPasswordGroup

Use an event hook to eliminate the ‘Continue if group is NewPolicyGroup’ step.

Set up an event hook with a filter to invoke a flow only when a user is added to the User Added Group. You will find examples here:

It looks in the logs for when the user’s password was expired via API, then looks in the logs again to see if they have successfully logged with the authenticator being Password since the API expiration.

The System Log keeps data for 90 days. Anything older than 90 days is removed. If a user doesn’t change their password within 90 days, the time when their password was expired via the API will be removed.