[keycloak-user] Unable to get SAML ForceAuthn to work
Hynek Mlnarik
hmlnarik at redhat.com
Mon Sep 2 09:40:43 EDT 2019
Unfortunately at this moment ForceAuthn is not supported, see
https://issues.jboss.org/browse/KEYCLOAK-5584
On Fri, Aug 30, 2019 at 7:10 PM Neil Russell <nrussell at egbc.ca> wrote:
> Hi John,
>
> No worries. Can you (or anyone else) confirm if Keycloak supports
> ForceAuthn when acting as the identity provider? I've applied a fix locally
> that appears to be handling the 1 correctly but after a bit more digging it
> doesn't look like AuthnRequestType.IsForceAuthn() is referenced during the
> processing of a login request.
>
> Thanks,
> Neil
>
> On 8/29/19 5:25 PM, Neil Russell wrote:
> > Hi John,
> >
> > The lexical space for a boolean in the document you referenced is
> defined as:
> > -An instance of a datatype that is defined as ·boolean· can have the
> following legal literals {true, false, 1, 0}.
> >
> > That document seems to confirm that 1 or 0 is compliant.
>
> Right you are, my bad. Thanks for the clarification.
>
> > -----Original Message-----
> > From: John Dennis <jdennis at redhat.com>
> > Sent: Thursday, August 29, 2019 1:00 PM
> > To: Neil Russell <nrussell at egbc.ca>; 'keycloak-user at lists.jboss.org' <
> keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Unable to get SAML ForceAuthn to work
> >
> > On 8/29/19 3:03 PM, Neil Russell wrote:
> >> Hey,
> >>
> >> I'm trying to get ForceAuthn to work with a third party who is using
> Shibboleth but have been unable to get it to force re-authentication if I
> have an existing session. I've inspected the SAML request and ForceAuthn is
> being passed in the request, one issue is that Shibboleth passes
> ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear
> to handle that. I made a fix to the StaxParserUtil class to try and get it
> working but even though I can now see that parser is returning true when
> the ForceAuthn attribute is read I'm still not getting the expected
> behaviour and I'm not sure where to look next.
> >>
> >> Any suggestions would be appreciated, am I looking in completely the
> wrong place?
> >
> > The ForceAuthn attribute is defined as an xsi:boolean. The XML schema
> > (https://www.w3.org/TR/xmlschema-2/#boolean) defines a boolean as
> either "true" or "false", it's case sensitive, no other values are
> permitted.
> > Sounds like the Shibboleth SP is non-compliant.
> >
> >
> > --
> > John Dennis
> >
>
>
> --
> John Dennis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list