Cherwell SP Forcing Re-Authentication

[Cantor, Scott]

On 5/30/19, 2:36 PM, "users on behalf of Garmer, Jack - garmercj" <users-bounces at shibboleth.net on behalf of garmercj at jmu.edu> wrote:

> Because the SP is a GUI-based app on a windows server, there doesn’t appear to be an obvious setting to turn this off.
> The product documentation also isn’t doing much for us. Is there a method on the IDP end to override forced reauth?

I think you should at least verify that the cause is the SP including ForceAuthn and not some artifact of frames or a million other issues causing session recovery failure before moving to the next step.

Assuming that's the case, there is no option right now to ignore what it says. There's an option to force it even if the SP can't ask for it, but that's the inverse.

You can forcibly point the SP at a URL that is a rewrite script that ignores the original AuthnRequest and rewrites it into a new one that doesn't have ForceAuthn set, of course.

-- Scott