Problems getting forceAuthn and maxTimeSinceAuthn working

Cantor, Scott cantor.2 at
Fri May 5 16:32:16 EDT 2017

On 5/5/17, 6:52 AM, "users on behalf of Romeo Theriault" <users-bounces at on behalf of romeotheriault at> wrote:

> I now have a need to force all subsequent requests to login to redirect the user back to the IDP to re-enter their credentials. I set
> forceAuthn="true" in my ApplicationOverride SSO attribute and maxTimeSinceAuth="30" in the ApplicationOverride Sessions
> attribute (see below). After I wait 30 (and more) seconds and go to relogin, I do not get sent back to the IDP and using network
> tracing in chrome I see that the SP is not even re-requesting a re-auth from the IDP.

That isn't what the setting means, it applies to the policy to enforce at the time an assertion is accepted to make sure ForceAuthn was honored, and has nothing to do with sessions or timeouts. You can't really be saying you want a 30 second timeout, but that's literally what you seem to be asking for here. I think you have not really explained what you want. But these settings are not how to do  it.

-- Scott

More information about the users mailing list