SAML 2.0 with the "POST" Binding: Is there any way for Service Provider to ask IdP for user re-authentication for the specific request? I mean first time web user enters login/password, than it stores some sort of cookie in a browser memory so that it remembers the user and does not ask him for password again next time inside the session. I want SP be able to enforce re-authentication which means a command to ask user for password again
The only similar thing I found (ForceAuthn) and it does not help me:
<samlp:AuthnRequest ForceAuthn="true" ... >
According to documentation ForceAuthn is exactly what I need, but for some reason Microsoft ADFS 2.0 completely ignores it not asking user for password
ADFS' default behavior to login a user on IdP side is 401 (NTLM) challenge, and all main stream browsers will cache user's id/pw input. Even though you specify "ForceAuthn=\"true\"", it wont help since the client side browser will send your cached id/pw again.
There is a way to change the default behavior on ADFS login strategy to adopt html form login. Supposing you are installing ADFS in default location, you can find c:\inetpub\adfs\ls\web.config. And there is <localAuthenticationTypes> element, and make sure you put <add name="Forms" page="FormsSignIn.aspx" /> as the first element in it. Also you can customize the login form page as you like.
I stumbled in similar issues with the ForceAuthn parameter and ADFS.
Specifically requiring an ACR in combination with the ForceAuthn attribute seems to do the trick for me:
<samlp:AuthnRequest ForceAuthn="true" [...]>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
[...]
</samlp:AuthnRequest>
Which is actually the exact meaning of the request I meant to send to ADFS:
Ignore your authentication context and ensure the user's password is provided.
来源:https://stackoverflow.com/questions/15442657/how-can-service-provider-reinforce-password-prompt-at-idp-server