Cherwell SP Forcing Re-Authentication

[IAM David Bantz]

After a recent Cherwell update we were seeing forced re-authentication as
described. The Cherwell admins did find, after prodding, a setting in the
SP to change to revert to honoring the SSO session. Cherwell regards this a
feature:

Authentication is forced by default; this means Users are required to enter
> their credentials each time they access Cherwell. You may choose to disable
> Force Authentication.
> Warning: We HIGHLY recommend you do not clear this option, as it has very
> serious security implications.


We were able to turn off this behavior.

David Bantz

On Thu, May 30, 2019 at 11:07 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 5/30/19, 2:36 PM, "users on behalf of Garmer, Jack - garmercj" <
> users-bounces at shibboleth.net on behalf of garmercj at jmu.edu> wrote:
>
> > Because the SP is a GUI-based app on a windows server, there doesn’t
> appear to be an obvious setting to turn this off.
> > The product documentation also isn’t doing much for us. Is there a
> method on the IDP end to override forced reauth?
>
> I think you should at least verify that the cause is the SP including
> ForceAuthn and not some artifact of frames or a million other issues
> causing session recovery failure before moving to the next step.
>
> Assuming that's the case, there is no option right now to ignore what it
> says. There's an option to force it even if the SP can't ask for it, but
> that's the inverse.
>
> You can forcibly point the SP at a URL that is a rewrite script that
> ignores the original AuthnRequest and rewrites it into a new one that
> doesn't have ForceAuthn set, of course.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190530/1bad3ee7/attachment.html>