Re: [keycloak-user] Unable to get SAML ForceAuthn to work

Hi John, No worries. Can you (or anyone else) confirm if Keycloak supports ForceAuthn when acting as the identity provider? I've applied a fix locally that appears to be handling the 1 correctly but after a bit more digging it doesn't look like AuthnRequestType.IsForceAuthn() is referenced during the processing of a login request. Thanks, Neil On 8/29/19 5:25 PM, Neil Russell wrote: > Hi John, > > The lexical space for a boolean in the document you referenced is defined as: > -An instance of a datatype that is defined as ·boolean· can have the following legal literals {true, false, 1, 0}. > > That document seems to confirm that 1 or 0 is compliant. Right you are, my bad. Thanks for the clarification. > -----Original Message----- > From: John Dennis <jdennis(a)redhat.com&gt; > Sent: Thursday, August 29, 2019 1:00 PM > To: Neil Russell <nrussell(a)egbc.ca>; &#39;keycloak-user(a)lists.jboss.org&#39; < keycloak-user(a)lists.jboss.org&gt; > Subject: Re: [keycloak-user] Unable to get SAML ForceAuthn to work > > On 8/29/19 3:03 PM, Neil Russell wrote: >> Hey, >> >> I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next. >> >> Any suggestions would be appreciated, am I looking in completely the wrong place? > > The ForceAuthn attribute is defined as an xsi:boolean. The XML schema > (https://www.w3.org/TR/xmlschema-2/#boolean) defines a boolean as either "true" or "false", it's case sensitive, no other values are permitted. > Sounds like the Shibboleth SP is non-compliant. > > > -- > John Dennis > -- John Dennis _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user