SAML Force ReAuth
-
Just Setup xen Orchastra and configured auth-saml to authenticate against azure/Entra. If I have already authenticated against Azure in another browser tab then I'm auto logged into Xo. Some services allow for force reauthentication on each login.
It appears you are using https://github.com/node-saml/passport-saml this library for Saml 2.0 and it does support this feature and is called forceAuthn. Would it be possible to add another toggle like "Don't request an authentication context" that switches this feature on or off.
forceAuthn: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
-
That's possible but you'll have to test it if we add it, because we have zero way to test that
Pinging @julien-f
-
@olivierlambert More than happy to test it.
From what I understand this feature is actually optional in the saml standard so a fair few providers do not support it and just ignore it. Might confuse a few people when it does nothing for their IDP. Defiantly works for entra though.
-
@jeffmetal Please test the
saml-forceAuthn
branch and keep me posted -
@jeffmetal Will you be able to test it this week?
-
@julien-f Just looking at testing this now, will let you know once its setup.
-
@jeffmetal Thank you!
-
@julien-f @jeffmetal I tested this and all seems to be working
-
@danielspahiu Thank you!