Problems getting forceAuthn and maxTimeSinceAuthn working

Romeo Theriault romeotheriault at gmail.com
Fri May 5 20:46:42 EDT 2017 

>
> That isn't what the setting means, it applies to the policy to enforce at
> the time an assertion is accepted to make sure ForceAuthn was honored, and
> has nothing to do with sessions or timeouts.


So, if an assertion from the IDP came in after the maxTimeSinceAuthn
timeout the SP would then redirect to the IDP for a re-authentication?


> You can't really be saying you want a 30 second timeout, but that's
> literally what you seem to be asking for here. I think you have not really
> explained what you want. But these settings are not how to do  it.


Step one of what I'm after is to have a SAML protected resource that
requires a re-authentication with the IDP anytime it's accessed. Basically,
I want to disable SSO on this one resource. Would I simply set the sessions
lifetime really low in addition to using forceAuthn and maxTimeSinceAuthn?

The bigger picture and where it, seems to, get complicated is that we want
to have a shibboleth protected website (one virtual host) that has this one
resource that requires authentication on every access, but the rest of the
site with the "normal" timeouts, etc... Is this possible to do with only
one ApplicationOverride and SP metadata?

Thanks



On Fri, May 5, 2017 at 10:32 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 5/5/17, 6:52 AM, "users on behalf of Romeo Theriault" <
> users-bounces at shibboleth.net on behalf of romeotheriault at gmail.com> wrote:
>
> > I now have a need to force all subsequent requests to login to redirect
> the user back to the IDP to re-enter their credentials. I set
> > forceAuthn="true" in my ApplicationOverride SSO attribute and
> maxTimeSinceAuth="30" in the ApplicationOverride Sessions
> > attribute (see below). After I wait 30 (and more) seconds and go to
> relogin, I do not get sent back to the IDP and using network
> > tracing in chrome I see that the SP is not even re-requesting a re-auth
> from the IDP.
>
> That isn't what the setting means, it applies to the policy to enforce at
> the time an assertion is accepted to make sure ForceAuthn was honored, and
> has nothing to do with sessions or timeouts. You can't really be saying you
> want a 30 second timeout, but that's literally what you seem to be asking
> for here. I think you have not really explained what you want. But these
> settings are not how to do  it.
>
> -- Scott
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
Romeo Theriault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170505/5f3d1492/attachment.html>

More information about the users mailing list