Unsolicited SSO + ForceAuthen?

Jeffrey Crawford jeffreyc at ucsc.edu
Mon Feb 26 12:21:34 EST 2018

I think I may know the answer to this, but I'm going to ask anyway just in
case I've missed some trick.

We have a vendor SAML integration with a rather simple SAML profile
support. There is a concern on campus that it "should" be ForceAuthn, but
the vendor doesn't support sending the request to the IdP with that tag set.

Is there any way to use the IdP Unsolicited SSO where we can set ForceAuthn
for this app? I know it may be easily bypassed if it's in the URL or
something, but we are trying to protect bad user behavior more than we are
trying to guard against someone who wants to bypass ForceAuthn at the

The application would allow someone access to personal data if they forget
to close the browser, so I'm trying to find ways to protect users from


Jeffrey E. Crawford
Enterprise Service Team <jeffreyc at ucsc.edu>
    ^         ^
   / \  ^    / \    ^
  /   \/ \  /   \  / \
 /        \/     \/   \
/                      \

You have been assigned this mountain to prove to others that it *can* be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180226/91393b9d/attachment.html>

More information about the users mailing list