Problems getting forceAuthn and maxTimeSinceAuthn working
Cantor, Scott
cantor.2 at osu.edu
Sun May 7 12:26:37 EDT 2017
On 5/5/17, 8:46 PM, "users on behalf of Romeo Theriault" <users-bounces at shibboleth.net on behalf of romeotheriault at gmail.com> wrote:
> So, if an assertion from the IDP came in after the maxTimeSinceAuthn timeout the SP would then redirect to the IDP for a re-
> authentication?
No. if the assertion's AuthnInstant is older than that setting, then an error occurs. It applies to assertion acceptance, not request processing.
> Step one of what I'm after is to have a SAML protected resource that requires a re-authentication with the IDP anytime it's
> accessed. Basically, I want to disable SSO on this one resource. Would I simply set the sessions lifetime really low in addition
> to using forceAuthn and maxTimeSinceAuthn?
No. The only way to do that is to isolate the resource into an ApplicationOverride, or to turn off requireSession and have the resource implemented dynamically enough to control all of that itself by examining the AuthnInstant at runtime to decide whether to honor the session.
-- Scott
More information about the users
mailing list