问题
In SAML, is it possible to force the user to go through idp's login process everytime even when the user has an active idp session?
To make a concrete example here: Let's call my application "SP" I use SSOCirecle as idp and I use POST and redirect (SP initiated).
To test, I will first login to SSOCircle to get an active idp session. Then when I try going to SP, I should be redirected to idp.
Normally, since I already have an active idp session, the idp will see "oh, you already being authenticated before, you can go directly to SP!"
But I don't want that, I want idp to force the user to enter credential everytime, maybe by either (I guess)
- ignore active idp session
- don't create an idp session
I want to knwo whether this is doable.
回答1:
Yes, the SP can send a flag ForceAuthn to the Idp in the AuthnRequest to require a new authentication instead of reusing an existing session.
As always with SAML2, you can't expect all Idps to support everything. Yyou have to test if your Idp supports the ForceAuthn flag.
来源:https://stackoverflow.com/questions/44786747/saml-is-it-possible-to-force-user-to-go-through-login-process-even-when-user-ha