Re: [keycloak-user] Unable to get SAML ForceAuthn to work
Hi John,
The lexical space for a boolean in the document you referenced is defined as:
-An instance of a datatype that is defined as ·boolean· can have the following legal
literals {true, false, 1, 0}.
That document seems to confirm that 1 or 0 is compliant.
Neil
-----Original Message-----
From: John Dennis <jdennis(a)redhat.com>
Sent: Thursday, August 29, 2019 1:00 PM
To: Neil Russell <nrussell(a)egbc.ca>; 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Unable to get SAML ForceAuthn to work
On 8/29/19 3:03 PM, Neil Russell wrote:
Hey,
I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but
have been unable to get it to force re-authentication if I have an existing session.
I've inspected the SAML request and ForceAuthn is being passed in the request, one
issue is that Shibboleth passes ForceAuthn="1" instead of
ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix
to the StaxParserUtil class to try and get it working but even though I can now see that
parser is returning true when the ForceAuthn attribute is read I'm still not getting
the expected behaviour and I'm not sure where to look next.
Any suggestions would be appreciated, am I looking in completely the wrong place?
The ForceAuthn attribute is defined as an xsi:boolean. The XML schema
(https://www.w3.org/TR/xmlschema-2/#boolean) defines a boolean as either "true"
or "false", it's case sensitive, no other values are permitted.
Sounds like the Shibboleth SP is non-compliant.
--
John Dennis