13

I have a use case forced upon me by industry regulation. I wish it wasn't there, but it is.

A user logs in to my service, navigates around, etc. The user can perform many actions, but one of the actions requires (by industry regulation) that the user re-enter the username and password prior to continuing. It does not matter if the user logged in 5 seconds beforehand. In order to complete this action the user must re-enter the username and password.

We are looking to integrate with another company, using SAML to power SSO and Federated IDs. Is there a way for us to tell the IdP to re-authenticate the user, even if the user is already authenticated?

Thanks Alan

Alan C.
  • 245
  • 2
  • 6

1 Answers1

11

For SAML 2.0 identity providers that support it you can pass ForceAuthn="true" as an attribute for the AuthnRequest. This will tell the IdP to not use any previous security context when authenticating the user.

John Downey
  • 1,915
  • 13
  • 12