If SSO Authentication is enabled, many authenticated features still requires a password.

[danifran]

If SSO is enabled, many authenticated modules still asks for the user's password. In particular the change password module and the update profile module requires a password because they the user's credential to connect to the LDAP system. This happens even if a proxy user has been configured for the target system.

Steps to reproduce:

1. Configure an SSO authentication method (for example, http header)
2. Enable the Change password and update profile modules
3. Log on the system with the external SSO (or make all request using the correct header), then click on the Change Password module or update profile module

The system will redirect the user to the login page asking for a password, but the user has already been authenticated (maybe even with stronger factors) by the external identity provider.

[jrivard]

This is normal behavior depending on the directory and configuration. I'm assuming you mean AD which is one of the few LDAP directories that allow changing the password via a proxy user (aka 3rd party change) without consequences. Can you confirm this is for AD or are you having this issue with another LDAP directory.

[danifran]

The behavior changed after version 1.7. With version 1.7, we were able to let the user change his password without requiring him to provide a password.
I confirm the target environment is AD and we have already configured a proxy account. We are verifying the new PWM version before upgrading our current 1.7 version.

[danifran]

We managed to create a chai provider if the proxy account is defined (we just used existing code, wired up on the authentication section) as per the attached pull request