[keycloak-user] Supporting forceAuthn on a per scenario basis
John D. Ament
john.d.ament at gmail.com
Fri Jun 23 14:32:11 EDT 2017
Hi,
I have a use case where I need to support the SAML forceAuthn on a per
scenario basis. E.g. when a user does action 1, need to send the
forceAuthn flag, but when they do any other action don't send it.
When I look at the code in SAMLIdentityProvider, I see this being built:
SAML2AuthnRequestBuilder authnRequestBuilder = new
SAML2AuthnRequestBuilder()
.assertionConsumerUrl(assertionConsumerServiceUrl)
.destination(destinationUrl)
.issuer(issuerURL)
.forceAuthn(getConfig().isForceAuthn())
.protocolBinding(protocolBinding)
.nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
so it always looks at the config. If we wanted to support a forceAuthn
behavior based on other actions, how could that work? I was thinking the
oidc prompt attribute could be used, but I don't seem to have the OIDC
request available in this class.
John
More information about the keycloak-user
mailing list