Re: [keycloak-user] Unable to get SAML ForceAuthn to work
On 8/29/19 3:03 PM, Neil Russell wrote:
Hey,
I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but
have been unable to get it to force re-authentication if I have an existing session.
I've inspected the SAML request and ForceAuthn is being passed in the request, one
issue is that Shibboleth passes ForceAuthn="1" instead of
ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix
to the StaxParserUtil class to try and get it working but even though I can now see that
parser is returning true when the ForceAuthn attribute is read I'm still not getting
the expected behaviour and I'm not sure where to look next.
Any suggestions would be appreciated, am I looking in completely the wrong place?
The ForceAuthn attribute is defined as an xsi:boolean. The XML schema
(https://www.w3.org/TR/xmlschema-2/#boolean) defines a boolean as either
"true" or "false", it's case sensitive, no other values are
permitted.
Sounds like the Shibboleth SP is non-compliant.
--
John Dennis