Problems getting forceAuthn and maxTimeSinceAuthn working

Romeo Theriault romeotheriault at gmail.com
Fri May 5 06:52:47 EDT 2017 

I'm using a shibboleth sp v2.5.6 (linux/apache 2.4) and the shibboleth idp
v3.1.2 and am trying to get forceAuthn and maxTimeSinceAuthn to work.
Initial login flow works as intended, i.e. redirected to IDP to auth, then
redirected back to the app and logged in.

I now have a need to force all subsequent requests to login to redirect the
user back to the IDP to re-enter their credentials. I set forceAuthn="true"
in my ApplicationOverride SSO attribute and maxTimeSinceAuth="30" in the
ApplicationOverride Sessions attribute (see below). After I wait 30 (and
more) seconds and go to relogin, I do not get sent back to the IDP and
using network tracing in chrome I see that the SP is not even re-requesting
a re-auth from the IDP.

Yes, I've been restarting shibd and apache after config changes.

Does anyone have any ideas why shibd isn't forcing a re-auth? Or see what
might be off in my configuration?

Relevant part of my SP ApplicationOverride config:

     <ApplicationOverride id="njdev212149-appid" entityID="
> https://njdev212149.corp.company.com/shibboleth"
> sessionHook="/sso/sso_validate.k">
>             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem" handlerSSL="true" cookieProps="https"
> maxTimeSinceAuthn="30" >
>                 <SSO entityID="
> https://testidp.corp.company.com/idp/shibboleth" forceAuthn="true" >
>                 SAML2
>                 </SSO>
>                 <Logout>SAML2 Local</Logout>

...

Relevant apache/shib config:

    <Location ~ "/cgi-bin/.*/sso">
>         AuthType shibboleth
>         Require shib-session
>         # ShibCompatWith24 On   # Only needed if not using apache 2.4
>         ShibUseEnvironment On
>         ShibRequestSetting requireSession 1
>         ShibRequestSetting applicationId njdev212149-appid
>         ShibRequestSetting entityID
> https://testidp.corp.company.com/idp/shibboleth
>         AddHandler cgi-script .k
>         Options +FollowSymlinks +ExecCGI
>         Order allow,deny
>         Allow from all
>     </Location>
>     <Location />
>         ShibRequestSetting applicationId njdev212149-appid
>     </Location>
>     <Location /Shibboleth.sso>
>         Satisfy Any
>         Allow from all
>         SetHandler shib
>     </Location>


Thank you!

-- 
Romeo Theriault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170505/1675deac/attachment.html>

More information about the users mailing list