An instance where MFA (Multi Factor Auth) enabled, and user first time logs in after basic auth he will be directed to a ui page "google_auth_setup_page.do" - Expected from "login.do" and from a portal page say "/sp"
But when an admin made "Password needs reset" on a user during the first login in …after basic auth he will get "login_cpw.do" and afterwards "google_auth_setup_page.do" when using "/login.do"
Instead, if we tires from an SP page (/sp) with sasme settings….he will be taken to "login_cpw.do" page and stuck at there…… removing the /login_cpw.do" from URL will take to proper "google_auth_setup_page.do"
For Madrid and prior. But if the issue exists on newer version, you can also try this workaround
Same authentication token for logged-in and guest users but post Madrid it has different tokens pre and post login. It works by chance in NY and above just because the below code (In resolution) never gets executed because of invalid context built (CSRFValidator fails for the token and the input object is never passed to the c.server.get).
1 Clone the login widget of the required portal
2 In server script, please comment the following code and refer this widget in the login page.