relying party override to impose forceAuthN?

IAM David Bantz dabantz at
Fri Jul 10 23:26:21 UTC 2020

I know forceAuthN can be configured in SP, but I'm wondering if it is
possible, via relying party override or other config in the IdP to achieve
the same user experience.

Our Shibb IdP v3.4.6 is adopting services that have been relying on
dedicated CAS servers, and I've heard some feedback from users of the
non-production instances of those services that have migrated to Shibb IdfP
that they were 'surprised' or 'concerned' that after they hit the "logout"
button in the service, then navigated back to the service, they gained
access without re-authentication. So if I cannot persuade them that this is
normal and intended SSO behavior and they cannot configure an analog of
forceAuthn in these CAS protocol services, I'm wondering if I can configure
the IdP to respond as though the service requested forceAuthN.

David St. Pierre Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list