Skip to main content

Tutorial: Setting up forced authentication (forceAuthn) for SAML users

Abstract

Request the re-authentication of users with each sign-on using the SAML forceAuthn content parameter.

Overview

For some customers with high-security requirements, you may want to break the Single Sign-on functionality of SAML authentication and request the re-authentication of users. You can do this with forceAuthn, a content parameter. This parameter requests user interactions to authenticate with the IdP even if the user has an active session. You configure this with a toggle in the Admin Web UI, which sets forceAuthn to true.

  • SAML is set up for Access Server and your IdP.

  1. Sign in to the Admin Web UI.

  2. Click Authentication > SAML.

  3. Set Send ForceAuthn flag to IdP to require user interaction to Yes.

Tip

When set to Yes, this means ForceAuthn='true' is included in the AuthNRequest made to the IdP, requesting user interaction during the course of handling the request. Doing this overrides the usual, implicit assumption that previous authentication states can be reused — however, it's up to the SAML IdP if it honors this request.