ForceAuthn based on IDP entityId

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

ForceAuthn based on IDP entityId

Shibboleth - Developers mailing list
Is there a way to configure the SP so ForceAuthn=true only for
specific IDP's?    The use case is we want to allow SSO for our
internal IDP only, but for all other external IDP's we want
ForceAuthn=true.

--

Thanks,

Dan
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Thomas Smets

2 installs with 2 configs & 2 URL's ...

\T,

On 11/02/2021 04:52, Dan McLaughlin via dev wrote:
Is there a way to configure the SP so ForceAuthn=true only for
specific IDP's?    The use case is we want to allow SSO for our
internal IDP only, but for all other external IDP's we want
ForceAuthn=true.

--

Thanks,

Dan
--
Thomas Lionel SMETS
m : +32 497 44 68 12
p : +32 2 852 3341
@ : [hidden email] (Hangout)
Skype : thomas.smets

Serial Number: 73:79:9F:5A:A2:01:B1:8E:35:A5:B5:95:C4:12:DD:9F
SHA-256 : 75:8E:3D:47:05:E7:D9:16:39:3E:D5:51:C4:E1:10:63:63:D8:F5:25:CB:AE:80:64:65:5A:28:DE:9D:51:F1:D4


--
To unsubscribe from this list send an email to [hidden email]

OpenPGP_signature (677 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Cantor, Scott E.
In reply to this post by Shibboleth - Developers mailing list
On 2/10/21, 10:52 PM, "dev on behalf of Dan McLaughlin via dev" <[hidden email] on behalf of [hidden email]> wrote:

>    Is there a way to configure the SP so ForceAuthn=true only for
>    specific IDP's?    The use case is we want to allow SSO for our
>    internal IDP only, but for all other external IDP's we want
>    ForceAuthn=true.

No, but the documentation says authnContextClassRef and NameIDFormat are customizeable, which means it's looking at the RelyingParty elements when it issues AuthnRequests. So I suspect it could and just isn't.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Shibboleth - Developers mailing list
In our case we'd want all to have IDP's forcedAuthn=true except for
our internal IDP.   Sounds like this isn't possible, am I
understanding you correctly?

--

Thanks,

Dan McLaughlin
Technology Consortium, LLC
[hidden email]
mobile: 512.633.8086
http://www.tech-consortium.com

NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

On Thu, Feb 11, 2021 at 7:24 AM Cantor, Scott <[hidden email]> wrote:

>
> On 2/10/21, 10:52 PM, "dev on behalf of Dan McLaughlin via dev" <[hidden email] on behalf of [hidden email]> wrote:
>
> >    Is there a way to configure the SP so ForceAuthn=true only for
> >    specific IDP's?    The use case is we want to allow SSO for our
> >    internal IDP only, but for all other external IDP's we want
> >    ForceAuthn=true.
>
> No, but the documentation says authnContextClassRef and NameIDFormat are customizeable, which means it's looking at the RelyingParty elements when it issues AuthnRequests. So I suspect it could and just isn't.
>
> -- Scott
>
>
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Cantor, Scott E.
On 2/11/21, 8:30 PM, "Dan McLaughlin" <[hidden email]> wrote:

>    In our case we'd want all to have IDP's forcedAuthn=true except for
>    our internal IDP.   Sounds like this isn't possible, am I
>    understanding you correctly?

It's not possble.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Shibboleth - Developers mailing list
Is there a way to cause maxTimeSinceAuthn to trigger a redirect to the
IDP for authentication with ForceAuthn=true instead of throwing a
"FatalProfileException - The gap between now and the time you logged
into your identity provider exceeds the limit."

--

Thanks,

Dan

On Fri, Feb 12, 2021 at 9:11 AM Cantor, Scott <[hidden email]> wrote:

>
> On 2/11/21, 8:30 PM, "Dan McLaughlin" <[hidden email]> wrote:
>
> >    In our case we'd want all to have IDP's forcedAuthn=true except for
> >    our internal IDP.   Sounds like this isn't possible, am I
> >    understanding you correctly?
>
> It's not possble.
>
> -- Scott
>
>
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Cantor, Scott E.
On 2/18/21, 10:02 PM, "Dan McLaughlin" <[hidden email]> wrote:

>    Is there a way to cause maxTimeSinceAuthn to trigger a redirect to the
>    IDP for authentication with ForceAuthn=true instead of throwing a
>    "FatalProfileException - The gap between now and the time you logged
 >   into your identity provider exceeds the limit."

Yes, the redirectErrors setting, to a script you control.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Shibboleth - Developers mailing list
Is there an example in the docs anywhere?

--

Thanks,

Dan McLaughlin
Technology Consortium, LLC
[hidden email]
mobile: 512.633.8086
http://www.tech-consortium.com

NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

On Fri, Feb 19, 2021 at 7:21 AM Cantor, Scott <[hidden email]> wrote:

>
> On 2/18/21, 10:02 PM, "Dan McLaughlin" <[hidden email]> wrote:
>
> >    Is there a way to cause maxTimeSinceAuthn to trigger a redirect to the
> >    IDP for authentication with ForceAuthn=true instead of throwing a
> >    "FatalProfileException - The gap between now and the time you logged
>  >   into your identity provider exceeds the limit."
>
> Yes, the redirectErrors setting, to a script you control.
>
> -- Scott
>
>
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ForceAuthn based on IDP entityId

Cantor, Scott E.
On 2/25/21, 11:40 AM, "Dan McLaughlin" <[hidden email]> wrote:

>    Is there an example in the docs anywhere?

https://wiki.shibboleth.net/confluence/display/SP3/Errors

-- Scott


--
To unsubscribe from this list send an email to [hidden email]