I recently ran successfully the spring-saml-sample working with ADFS 2.0.
However I noticed that ADFS only ask me once my user/pass, and then I can enter as many times I want but always with the same user (even when I did a global logout).
Is seems there is a cookie or something stored locally that is sent to ADFS.
What if I want to authenticate with a different user on the same machine? How can I configure saml-extension in order to force authentication again?
SAML contains a mechanism for forcing IDP to re-authenticate user called forced authentication. You can enable it by setting flag forceAuthn in WebSSOProfileOptions to true. You can find more details on setting this in the Spring SAML manual, chapter 9.2.1.
In addition to Vladimir's answer, if you are able to continue login even after global logout has been done, you should check that as well. After global logout all SP and IDP sessions should be deleted and so ideally you should not be able to use the site.
来源:https://stackoverflow.com/questions/27828746/how-can-i-force-spring-saml-extension-to-re-authenticate-everytime