I also have the same issue.

The impact this has for your district:
Due to this issue, I'm unable to force users to reset their own password (which takes quite a bit of steps) thus allowing them to maintain a generic password. And even though I have this only set for students at my k-3 levels, it affects my entire domain.

Why you care about this issue:
Security! Utilizing generic passwords or a temporary password that is written down for initial set up is not safe and secure.

We would like to see this feature fixed as well. While it is fine for our badge users, it creates problems for our older students. 

We have this issue as well. We like the option of using badges for our younger students, but for security, we need the option to force a password reset for our older students. With Clever Badges SSO enabled, the force password reset option is not available to us.

Our district would love to have this resolved, we have been waiting expectantly for the past several months for a fix. This feature would ultimately allow us to allow our youngest users to authenticate in a safe way into district G Suite products. Removing the option "require a password change in the next sign in" does not match our district IT password policy, ultimately making this feature unavailable for the 6K student users it could benefit. 

We also have this issue and it is affecting the password security of our 3-12th grade students and employees. My only work-around is to disable the SSO setting after school, then prompting the password reset, then turning the SSO back on. Fixing this issue would have a great impact for our staff and students.

This is the same issue our district is having.  We would need to keep the change password functionality when SSO settings are configured. Simply allowing the checkbox to remain if the netmask change password URL is empty would solve this.  We currently cannot use clever badges because of this issue and have also been waiting on a fix for over a year.

We would also like the ability to retain the "Force password change" option while using Clever for SSO for younger students. If this needs to be removed in order to make Clever work with Google, is it possible to only lose that functionality for the OU's that are using Clever? We are looking to use Clever with k-3 grade students and understand if allowing them to use badges removes ability to force password change for them, but we can't lose that ability for the remainder of our domain, which is 4-12 grade students and all staff and faculty.

Lets expand the conversation beyond Clever, since it affects more than just Clever Users.

Official documentation outlining the issue is found here:
https://support.google.com/a/answer/60224?hl=en&ref_topic=6348126&visit_id=1-636446442976455090-3115985466&rd=1 under *How does the password change URL affect password changes?*

The workflow for using SSO is outlined here: https://developers.google.com/google-apps/sso/openid_reference_implementation with an image going through the authentication flow.

In order for a "Per OU SSO solution" to work, the authentication flow would need to change.  Between Steps 3 and 4 within the Google Login Authentication, there would need to be additional parameters based on the OU/Group/Device etc. to differentiate what happens when a user attempts to sign-in.

The primary reason that the Change Password flag is ignored (yes - ignored.  It can still be switched via API) is that with a SSO solution, theoretically, Google does not have valid authentication credentials stored for users.  They have a username, but no password.  The reason the Google password works on domains using Clever is that they restrict the SSO to a public IP Netmask which the users will never be on (1.1.1.1/32).  This combined with the Chrome Device setting allowing users to use the SSO page inspite of the netmask, is what allows their solution work without having 100% of your users have their accounts authenticate with Clever.

Essentially, this request is 2 fold.
1) Respect the changePasswordAtNextLogin flag and allow it to be configured in the GUI (regardless of SSO settings) -- a cPanel issue
2) Allow domains to configure SSO settings on a Granular (per OU) Basis -- also a cPanel issue.

We have this issue as well. We like the option of using badges for our younger students, but for security, we need the option to force a password reset for our older students. With Clever Badges SSO enabled, the force password reset option is not available to us.

This is also an issue for out school district.  We need for the password reset option to show up when this feature is enabled.

 Issue 779223  has been merged into this issue.

Hey Bin, can you check this?

This is a significant issue for our organization and poses a real and significant security exposure for our team and students.

We continue to have the same issue as well. Do we have a time frame for resolution? This is a significant security risk. 

We have this issue as well. We like the option of using badges for our younger students, but for security, we need the option to force a password reset for our older students. With Clever Badges SSO enabled, the force password reset option is not available to us.  This is a significant security flaw.

Throwing my two cents in here too. I just worked on enabling Third Party SSO today in order to use Clever Badges in our district and noticed that the option to force a user to reset their password was disabled when I tried to reset a password for a staff member. The issue in our district is that we want to use Clever Badges for grades K-2, and the higher grades will log in normally. Also, we manage our staff accounts through Google Admin, so we need the ability to force a password change on login for staff. If we give them default passwords and tell them to change them manually, they will not do it and this poses a security risk for our users.

Adding on to this issue. Our school utilizes this feature to enable stronger security practices and we currently cannot do so because of the feature being disabled.

We suffer from the same limitation...

We continue to have this issue. This issue poses a significant security risk for our users.

The issue still persist. Any time frame on repair?

I agree with many responses here. Unfortunately, it has caused more security issues when setting up new users or resetting passwords, as we are relying on the user to reset their password manually. Many do not or think, "I'll do that later" but don't. That makes the password less secure. Please make this a priority. If it should be put in as a feature request in Google Cloud Connect, I would gladly do this and share the link for votes. 

Related server-side issues
b/9425856
b/5002410

We would like to force password changes at next login while having a third-party-sso. I am only commenting to show more users are impacted by this setting. We would like to use Clever for our younger students so teachers can spend more time on lessons and less time logging people into chromebooks. However, the need to force a password change is greater than the SSO. 

There's some discussion of this issue in the GSFE Admins Google+ Group: https://plus.google.com/100606480902320583864/posts/LG5f8jhsHcH?cfem=1

#ME2 #MeToo

We would like to force password changes at next login while having a third-party-sso. 

We also would like this to be corrected.  At the very least allow this to be controlled by the OU. So if we enable for our K-1 students, fine do not force them to change their password but allow us to keep the force password option available for the rest of the OUs (grades 2-12 in this example) who are not using badges to sign on the Chromebook.  Makes a big security issue by not allowing us to control this by OU, that you force this issue on all users in the domain even if they are not all using the badges to sign in.

I agree with others here, that it would be nice if SSO could be by OU. We may want to use a different SSO based on school/grade. K-2 would use Clever Badges and maybe High School use MS Active Directory SSO.

And the Force Password Change at Next Login" HAS to work regardless of SSO settings. Unless maybe if accounts sync from AD or something. 

We are also dealing with this same issue

Going to reiterate this:
With SSO, Google should have no knowledge of your users Password.  This was the rationale behind changing (yes changing - it used to work in 2014) the behavior.

For those not using the Network Mask to limit signing into Google via SSO from Chromebooks only, the Change Password on next login _should_ be a feature within the identity provider, and have nothing to do with a setting within Google.  

The Login Audit Log will reflect if users are using SSO (SAML) or Google Password.  Only those users using Google Password will be affected by Google bringing back this feature - SAML sign-ins will still not be required to change their passwords.

This bug has an owner, thus, it's been triaged. Changing status to "assigned".

I agree with others.  This needs to be corrected and the sooner the better.

I am in agreement as well. We are unable to use badges in our district due to this restriction. If this could be resolved sooner rather than later it would be beneficial to our practice. 

This is a huge issue and an audit finding in my district.  

I have to reiterate that this is a problem. Please remedy it as soon as possible. 
We have Clever for mostly our K-2 and then the rest sign in with their Google creds.

While we're at it - why not allow per OU SSO Settings that would also remedy the problem.

This would also allow users from K-2 to use Clever while allowing 3-12 to use another solution and Staff to use ADFS.

Again, ultimately since the use of the Network Mask that Clever requires in their badge implementation is more of a hack than anything, the resolution should lie with Clever, and would be solved if you were using them as a SSO for all users.

Commenting to add another voice; this is impacting our school district (Strathmore Union Elementary) as well. In schools that wish to use Clever and Chromebooks together, this issue presents a choice between poor security or potentially wasted instructional time in the classroom (due to login issues addressed by Clever badges). Due to the popularity of Chromebooks and Clever in education, in my opinion, it's now irresponsible to ignore the impact this issue creates; and as for the impact to Google, this creates an opportunity for schools to give greater consideration to non Google products and services.