pfoppe

How to force ORG users to change password

Discussion created by pfoppe on Apr 23, 2014
Latest reply on Apr 25, 2014 by pfoppe
I help to administer an ArcGIS Online Organizational solution.  We have close to 100 members or so from our enterprise that can login to that.  Our user accounts are NOT using the enterprise login feature (like SAML back to our internal AD structure), so we are just using built-in identity provider (Esri GLOBAL accounts?!). 

The Esri ArcGIS Online product appears to have been vulnerable to the OpenSSL Vulnerability CVE-2014-0160 (Heartbleed) as documented on the Esri Knowledge Base and subsequently patched with new CA certs:
�?� ArcGIS Online �?? Mitigations have been applied to all service endpoints and certificates have been re-issued across the platform. As a precautionary measure, Esri encourages users to change passwords for systems where mitigations have been completed, such as ArcGIS Online.


Is there a way I can force the user to change their password on next login for all my users in the ORG solution?  I can blast out emails asking them to, but I have not yet found a way to force it.  If I cannot force them, is there a way I can get notified that they have changed their password for our tracking purposes?  I know I could disable the user, but cannot find a better way to mitigate the risks of user accounts being compromised. 

It does appear that it might be possible to set the users password with a random one, provide that to the user, have them re-set it, and track progress that way.  might be possible through the update user operation as its listed in the user parameters section (although I have not tested this yet). 

Thanks in advance for any guidance!

Outcomes