I help to administer an ArcGIS Online Organizational solution. We have close to 100 members or so from our enterprise that can login to that. Our user accounts are NOT using the enterprise login feature (like SAML back to our internal AD structure), so we are just using built-in identity provider (Esri GLOBAL accounts?!).
The Esri ArcGIS Online product appears to have been vulnerable to the OpenSSL Vulnerability CVE-2014-0160 (Heartbleed) as documented on the Esri Knowledge Base and subsequently patched with new CA certs:
�?� ArcGIS Online �?? Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online.
Is there a way I can force the user to change their password on next login for all my users in the ORG solution? I can blast out emails asking them to, but I have not yet found a way to force it. If I cannot force them, is there a way I can get notified that they have changed their password for our tracking purposes? I know I could disable the user, but cannot find a better way to mitigate the risks of user accounts being compromised.
It does appear that it might be possible to set the users password with a random one, provide that to the user, have them re-set it, and track progress that way. might be possible through the update user operation as its listed in the user parameters section (although I have not tested this yet).
So it seems that I CANNOT actually change a users password... :mad:
Here is the attempt to change a users password: URL: https://<ORGNAME>.maps.arcgis.com:443/sharing/rest/community/users/<USERNAME>/update DATA: {'token': '<SUPER LONG OBSCURE TOKEN>', 'password': '<RANDOM PASSWORD>', 'f': 'json'} HTTP RESPONSE: {'username': '<USERNAME>', 'success': True}
I can, however - disable them with an undocumented REST operation... 🙂
Here is disabling the user: URL: https://<ORGNAME>.maps.arcgis.com:443/sharing/rest/community/users/<USERNAME>/disable DATA: {'token': '<SUPER LONG OBSCURE TOKEN>', 'f': 'json'} HTTP RESPONSE: {'success': True}
So...
Even though I get a response saying 'success' that the password was changed, the user can still login with their old password and not their new one. The user is actually disabled though if I run the second command. Both are over an HTTP POST method.
At any rate - we are mitigating this by:
Sending an email to all users asking them to change their password
Asking those users to notify us once they have complied
Tracking which users have not complied
Disabling users that have not complied (after 15 or 30 days)
Deleting the user if the account was disabled for more than 60 days
