Problems getting forceAuthn and maxTimeSinceAuthn working
Romeo Theriault
romeotheriault at gmail.com
Tue May 9 05:14:55 EDT 2017
On Sun, May 7, 2017 at 6:26 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/5/17, 8:46 PM, "users on behalf of Romeo Theriault" <
> users-bounces at shibboleth.net on behalf of romeotheriault at gmail.com> wrote:
>
> > So, if an assertion from the IDP came in after the maxTimeSinceAuthn
> timeout the SP would then redirect to the IDP for a re-
> > authentication?
>
> No. if the assertion's AuthnInstant is older than that setting, then an
> error occurs. It applies to assertion acceptance, not request processing.
>
Apologies, I don't understand the difference. Can you please share an
example of when and how someone would use forceAuthn and maxTimeSinceAuthn?
> Step one of what I'm after is to have a SAML protected resource that
> requires a re-authentication with the IDP anytime it's
> > accessed. Basically, I want to disable SSO on this one resource. Would I
> simply set the sessions lifetime really low in addition
> > to using forceAuthn and maxTimeSinceAuthn?
>
> No. The only way to do that is to isolate the resource into an
> ApplicationOverride, or to turn off requireSession and have the resource
> implemented dynamically enough to control all of that itself by examining
> the AuthnInstant at runtime to decide whether to honor the session.
>
Ok, good to know. Assuming I would get this specific resource in it's own
ApplicationOverride what would be the *recommended* way of having someone
re-authenticate on every access? Just setting a low session timeout won't
ask the IDP to have them login again....
Thanks for any direction on this.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Romeo Theriault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170508/483212df/attachment.html>
More information about the users
mailing list