[keycloak-user] Unable to get SAML ForceAuthn to work
John Dennis
jdennis at redhat.com
Thu Aug 29 16:00:16 EDT 2019
On 8/29/19 3:03 PM, Neil Russell wrote:
> Hey,
>
> I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next.
>
> Any suggestions would be appreciated, am I looking in completely the wrong place?
The ForceAuthn attribute is defined as an xsi:boolean. The XML schema
(https://www.w3.org/TR/xmlschema-2/#boolean) defines a boolean as either
"true" or "false", it's case sensitive, no other values are permitted.
Sounds like the Shibboleth SP is non-compliant.
--
John Dennis
More information about the keycloak-user
mailing list