Enforce IDP to ask for credentials

0
votes

What I have right now?

I have a working SP-initiated flow where users can authenticate against their IDP. If they return after some time and click on SP-initiated authentication link, IDP lets them bypass entering credentials.

Question

  1. Why does IDP decide to allow the user to jump over entering credentials? I have discovered if I delete my cookies this does not happen. Is this then IDP set cookie and IDP controlled session? Can I control this via SAML Request?
  2. Can I enforce IDP to always ask for credentials by setting a FOO SAML Request flag? Is this even possible?
2
single-sign-onsaml-2.0
Found an answer to (2): stackoverflow.com/questions/15442657/…rock3t

2 Answers

0
votes

Most of the times the point of introducing SAML-based federated SSO is that users don't have to enter their credentials over and over again. So not having to type their credentials is a feature of the IDP.

But the behavior is completely up to the IDP who controls how and when the user authenticates. The SP can ask for forced authentication but it is still the IDP that decides if that request is honored (by following the spec).

An IDP may skip asking for credentials explicitly if the user has logged in explicitly within a short timeframe before the current authentication request. That's still relatively secure and convenient for the user.

0
votes

you can force IdP to always prompt user for re-authentication by passing ForceAuthn=true attribute in authentication request.