Cherwell SP Forcing Re-Authentication

IAM David Bantz dabantz at
Thu May 30 15:23:36 EDT 2019

After a recent Cherwell update we were seeing forced re-authentication as
described. The Cherwell admins did find, after prodding, a setting in the
SP to change to revert to honoring the SSO session. Cherwell regards this a

Authentication is forced by default; this means Users are required to enter
> their credentials each time they access Cherwell. You may choose to disable
> Force Authentication.
> Warning: We HIGHLY recommend you do not clear this option, as it has very
> serious security implications.

We were able to turn off this behavior.

David Bantz

On Thu, May 30, 2019 at 11:07 AM Cantor, Scott <cantor.2 at> wrote:

> On 5/30/19, 2:36 PM, "users on behalf of Garmer, Jack - garmercj" <
> users-bounces at on behalf of garmercj at> wrote:
> > Because the SP is a GUI-based app on a windows server, there doesn’t
> appear to be an obvious setting to turn this off.
> > The product documentation also isn’t doing much for us. Is there a
> method on the IDP end to override forced reauth?
> I think you should at least verify that the cause is the SP including
> ForceAuthn and not some artifact of frames or a million other issues
> causing session recovery failure before moving to the next step.
> Assuming that's the case, there is no option right now to ignore what it
> says. There's an option to force it even if the SP can't ask for it, but
> that's the inverse.
> You can forcibly point the SP at a URL that is a rewrite script that
> ignores the original AuthnRequest and rewrites it into a new one that
> doesn't have ForceAuthn set, of course.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list