Tutorial: Setting up forced authentication (forceAuthn) for SAML users
Request the re-authentication of users with each sign-on using the SAML forceAuthn content parameter.
Overview
For some customers with high-security requirements, you may want to break the Single Sign-on functionality of SAML authentication and request the re-authentication of users. You can do this with forceAuthn, a content parameter. This parameter requests user interactions to authenticate with the IdP even if the user has an active session. You configure this with a toggle in the Admin Web UI, which sets forceAuthn to true.
SAML is set up for Access Server and your IdP.
When you turn on the forceAuthn flag, Access Server instructs the Identity Provider (IdP) to force the user to re-authenticate, even if they already have an active session. This is achieved by including specific metadata in the SAML authentication request that enforces this behavior.
Sign in to the Admin Web UI.
Click Authentication.
Click the SAML tab.
Under the AuthNRequest section, set Send ForceAuthn to Off.
Click Save and Restart.
Tip
When set to On, this means ForceAuthn='true' is included in the AuthNRequest made to the IdP, requesting user interaction during the course of handling the request. Doing this overrides the usual, implicit assumption that previous authentication states can be reused; however, it's up to the SAML IdP to decide whether to honor this request.