Problems getting forceAuthn and maxTimeSinceAuthn working
Cantor, Scott
cantor.2 at osu.edu
Fri May 5 16:32:16 EDT 2017
On 5/5/17, 6:52 AM, "users on behalf of Romeo Theriault" <users-bounces at shibboleth.net on behalf of romeotheriault at gmail.com> wrote:
> I now have a need to force all subsequent requests to login to redirect the user back to the IDP to re-enter their credentials. I set
> forceAuthn="true" in my ApplicationOverride SSO attribute and maxTimeSinceAuth="30" in the ApplicationOverride Sessions
> attribute (see below). After I wait 30 (and more) seconds and go to relogin, I do not get sent back to the IDP and using network
> tracing in chrome I see that the SP is not even re-requesting a re-auth from the IDP.
That isn't what the setting means, it applies to the policy to enforce at the time an assertion is accepted to make sure ForceAuthn was honored, and has nothing to do with sessions or timeouts. You can't really be saying you want a 30 second timeout, but that's literally what you seem to be asking for here. I think you have not really explained what you want. But these settings are not how to do it.
-- Scott
More information about the users
mailing list