diff --git a/shibboleth/backends.py b/shibboleth/backends.py
index 23f7159..a0c4e99 100644
--- a/shibboleth/backends.py
+++ b/shibboleth/backends.py
@@ -40,6 +40,15 @@ def authenticate(self, remote_user, shib_meta):
         if self.create_unknown_user:
             user, created = User.objects.get_or_create(username=username, defaults=shib_user_params)
             if created:
+                """
+                @note: setting password for user needs on initial creation of user instead of after auth.login() of middleware.
+                because get_session_auth_hash() returns the salted_hmac value of salt and password.
+                If it remains after the auth.login() it will return a different auth_hash 
+                than what's stored in session "request.session[HASH_SESSION_KEY]".
+                Also we don't need to update the user's password everytime he logs in.
+                """
+                user.set_unusable_password()
+                user.save()
                 user = self.configure_user(user)
         else:
             try:
diff --git a/shibboleth/middleware.py b/shibboleth/middleware.py
index 421bcc4..aadd52c 100755
--- a/shibboleth/middleware.py
+++ b/shibboleth/middleware.py
@@ -60,8 +60,7 @@ def process_request(self, request):
             # by logging the user in.
             request.user = user
             auth.login(request, user)
-            user.set_unusable_password()
-            user.save()
+            
             # Upgrade user groups if configured in the settings.py
             # If activated, the user will be associated with those groups.
             if GROUP_ATTRIBUTES: