OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: ForceAuthn



I have a question about “ForceAuthn” attribute in AuthnRequest. According to the SAML 2.0 core document the user cannot use a previously established session to get an assertion but must be (re-)authenticated.


ForceAuthn [Optional]

A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than

rely on a previous security context. If a value is not provided, the default is "false". However, if both

ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the

presenter unless the constraints of IsPassive can be met.


If I read the document correctly there are no other requirements regarding the re-authentication process at the IdP. Does this mean that the IdP could use also some ‘passive’

authentication method like client cert or integrated windows authentication (NTLM/SPNEGO) to (re-)authenticate the user?






passive authentication – The IdP does not visibly take control of the user interface from the requester and does not interact with the presenter in a noticeable fashion

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]