Problems getting forceAuthn and maxTimeSinceAuthn working

Cantor, Scott cantor.2 at
Tue May 9 09:55:12 EDT 2017

> Apologies, I don't understand the difference. Can you please share an
> example of when and how someone would use forceAuthn and
> maxTimeSinceAuthn?

If you use ForceAuthn, you MUST set maxTimeSinceAuthn to control how long a gap you allow and make it small enough to satisfy yourself that ForceAuthn was honored by the IdP. It applies to *acceptance* of an assertion, once, up front, and has nothing to do with subsequent requests under the created session or whether they're honored or not.

> Ok, good to know. Assuming I would get this specific resource in it's own
> ApplicationOverride what would be the *recommended* way of having
> someone re-authenticate on every access? Just setting a low session timeout
> won't ask the IDP to have them login again....

I suspect I would not use this implementation, because it's complexity and footprint are largely about session management. If you don't want sessions, you probably don't want a Shibboleth SP. But as I think about, I don't think there's a real way. There's no way to distinguish the age of a session, so you couldn't know that the request was fresh. I guess you could approximate it by essentially implementing your own maxTimeSinceAuthn on every request and once it exceeded the limit, you have to program that resource to issue its own redirects to the SessionInitiator endpoint with forceAuthn set to get a new roundtrip. There's no way to do it for a static resource or one that isn't able to interact with the SP's proprietary features.

-- Scott

More information about the users mailing list