additional info in the rp rqst & reauth by idp

[Cantor, Scott]

On 11/27/12 10:30 AM, "ci_98yr" <ci_98yr at yahoo.com> wrote:
>
>Assuming the RP/SP is shib, where and how do we set the "forceAuthn"
>dynamically ; any pointers/samples for this?

Apache via ShibRequestSetting, RequestMap, etc. Search the wiki.

That isn't sufficient to prevent SSO. You have to enforce a limited window
from the time of authentication such as with the maxTimeSinceAuthn option
or application logic.

-- Scott