Cherwell SP Forcing Re-Authentication

Nate Klingenstein ndk at signet.id
Thu May 30 14:46:22 EDT 2019


Jack,

> Good Afternoon All!

And a good day to you.

> After spinning my tires and finally concluding this isnt an idp issue by virtue of the nature of SSO, Im wondering if the idp can override what appears to be a forced re-authentication by a non-shibboleth SP.

Not as far as I'm aware of.  You can refuse to honor the request for authentication easily, but if the SP requests that it be forced, it's forced.  Given that this is somewhat security-related, I'm almost certain there is no configuration option to disable it easily.

https://wiki.shibboleth.net/confluence/display/IDP30/SessionConfiguration

> In a nutshell, our dev team is trying to leverage SAML SSO to allow a user to authenticate into an intermediary server and enter a ticket request into a template. On submission, the user and entered information will be redirected to a separate
>  ITSM server (the product being Cherwell, Ive posted about this project before). The issue were running into is the ITSM server is forcing the user to re-authenticate, which breaks the flow. Ive confirmed with other SPs attached to our dev environment that
>  SSO is working properly. Once I authenticate against one, the others do not prompt for authentication EXCEPT for this one.

Sure sounds like you've got it diagnosed properly.

Best wishes,
Nate.


More information about the users mailing list