additional info in the rp rqst & reauth by idp

Cantor, Scott cantor.2 at
Tue Nov 27 10:35:42 EST 2012

On 11/27/12 10:30 AM, "ci_98yr" <ci_98yr at> wrote:
>Assuming the RP/SP is shib, where and how do we set the "forceAuthn"
>dynamically ; any pointers/samples for this?

Apache via ShibRequestSetting, RequestMap, etc. Search the wiki.

That isn't sufficient to prevent SSO. You have to enforce a limited window
from the time of authentication such as with the maxTimeSinceAuthn option
or application logic.

-- Scott

More information about the users mailing list