Problems getting forceAuthn and maxTimeSinceAuthn working

Romeo Theriault romeotheriault at
Tue May 9 05:14:55 EDT 2017

On Sun, May 7, 2017 at 6:26 AM, Cantor, Scott <cantor.2 at> wrote:

> On 5/5/17, 8:46 PM, "users on behalf of Romeo Theriault" <
> users-bounces at on behalf of romeotheriault at> wrote:
> > So, if an assertion from the IDP came in after the maxTimeSinceAuthn
> timeout the SP would then redirect to the IDP for a re-
> > authentication?
> No. if the assertion's AuthnInstant is older than that setting, then an
> error occurs. It applies to assertion acceptance, not request processing.

Apologies, I don't understand the difference. Can you please share an
example of when and how someone would use forceAuthn and maxTimeSinceAuthn?

> Step one of what I'm after is to have a SAML protected resource that
> requires a re-authentication with the IDP anytime it's
> > accessed. Basically, I want to disable SSO on this one resource. Would I
> simply set the sessions lifetime really low in addition
> > to using forceAuthn and maxTimeSinceAuthn?
> No. The only way to do that is to isolate the resource into an
> ApplicationOverride, or to turn off requireSession and have the resource
> implemented dynamically enough to control all of that itself by examining
> the AuthnInstant at runtime to decide whether to honor the session.

Ok, good to know. Assuming I would get this specific resource in it's own
ApplicationOverride what would be the *recommended* way of having someone
re-authenticate on every access? Just setting a low session timeout won't
ask the IDP to have them login again....

Thanks for any direction on this.

> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

Romeo Theriault
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list