Hi @Ambuj Tripathi 

For SSO login users, the "password" column in the sys_user table should be empty.
And I think it should be prevented from setting a password using the password reset.
Is there a solution?

Hi @HS7 

It doesn't really matters whether the password field is set or not for the SSO users. The sso users (in your case users without admin role) will not be able to do the local login once you configure and enable the Adaptive Authentication policy correctly.

I think sso users can still change their passwords, and there is no provision to prevent it OOB. But even if they are able to set their passwords, they can't really login with username and password.

If you still want them to not allow to set their local login passwords, you can follow more simple and apt approaches -

1: Have a BR on sys_user table which checks the user role and prevents setting the password field if the user doesn't have admin role.

OR

2: Edit the UI action on the user profile page for change password and add the admin role there to make sure the change password UI action is only visible to admin users. However, if any admin user is logging in with SSO, then can see this UI action on their profile page.

Thanks!

Thank you @Ambuj Tripathi 

「SSO ユーザー (この場合、管理者ロールを持たないユーザー) は、アダプティブ認証ポリシーを正しく構成して有効にすると、ローカル ログインを実行できなくなります。」

具体的にどのような設定を行うべきか教えてください。