Problems getting forceAuthn and maxTimeSinceAuthn working

Cantor, Scott cantor.2 at
Sun May 7 12:26:37 EDT 2017

On 5/5/17, 8:46 PM, "users on behalf of Romeo Theriault" <users-bounces at on behalf of romeotheriault at> wrote:

> So, if an assertion from the IDP came in after the maxTimeSinceAuthn timeout the SP would then redirect to the IDP for a re-
> authentication?

No. if the assertion's AuthnInstant is older than that setting, then an error occurs. It applies to assertion acceptance, not request processing.
> Step one of what I'm after is to have a SAML protected resource that requires a re-authentication with the IDP anytime it's
> accessed. Basically, I want to disable SSO on this one resource. Would I simply set the sessions lifetime really low in addition
> to using forceAuthn and maxTimeSinceAuthn?

No. The only way to do that is to isolate the resource into an ApplicationOverride, or to turn off requireSession and have the resource implemented dynamically enough to control all of that itself by examining the AuthnInstant at runtime to decide whether to honor the session.

-- Scott

More information about the users mailing list