[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ForceAuthn
Hello, I have a question about “ForceAuthn” attribute in AuthnRequest. According to the SAML 2.0 core document the user cannot use a previously established session to get an assertion but must be (re-)authenticated. ForceAuthn [Optional] A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met. If I read the document correctly there are no other requirements regarding the re-authentication process at the IdP. Does this mean that the IdP could use also some ‘passive’ authentication method like client cert or integrated windows authentication (NTLM/SPNEGO) to (re-)authenticate the user? Regards, Dimitar passive authentication – The IdP does not visibly take control of the user interface from the requester and does not interact with the presenter in a noticeable fashion |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]