samlify icon indicating copy to clipboard operation
samlify copied to clipboard
verified publisher icon tngan

ForceAuthn can not be set in SP settings

Open nflaig opened this issue 6 years ago • 5 comments

Currently, there is no possibility to set the ForceAuthn property when creating a new SP instance by using properties in ServiceProviderSettings directly.

nflaig avatar Apr 11 '20 20:04 nflaig

@nflaig I am thinking whether it should put into request-level property or entity-level property. See the discussion of relayState configuration. https://github.com/tngan/samlify/issues/163

tngan avatar Apr 13 '20 17:04 tngan

@tngan for me at least both would work because I have to create a new entitiy for each request anyways so it wouldnt really matter. Maybe since it is not reflected in the metadata itself and only in the authnrequest is makes sense to put it into request-level property or even allow to set it in both and request-level would overwrite the entity-level property. Putting it in the request-level would also mean that depending on the user triggered the authnrequest this behaviour changes which seems unlikely. So I would rather lean to providing it only as an entity-level property-

nflaig avatar Apr 13 '20 17:04 nflaig

@nflaig I am not sure about the practical use of ForceAuthn, the default value is false in the specification. The reason why I point it out is because this property cannot be a static value like always true, that means it is less optimal to put it in entity level because it should require IDP password challenge under some special conditions.

There is an interesting use case for risk-based authentication. It's just for your reference.

tngan avatar Apr 13 '20 18:04 tngan

@tngan The article makes sense. I also remembered another use case which is electronic signatures. In a pharma environment the user should be forced to re-enter the password before the signature is done. After more consideration I would also say it rather belongs in to the request-level setting.

nflaig avatar Apr 14 '20 07:04 nflaig

@tngan Thanks for the this easy to use library. However, I also would have need of the ForceAuthn flag. Is there any updates on this feature? I also agree that a request-level setting would make sense.

A bit of a disclaimer since I have not tried it myself yet, but to anyone else in the meantime it looks like it is possible to add it by providing your own defaultLoginRequestTemplate.

import { SamlLib } from 'samlify';

const defaultTemplate = SamlLib.defaultLoginRequestTemplate;
defaultTemplate.context = insertTagProperty(defaultTemplate.context, 'ForceAuthn="true"');

function insertTagProperty(xmlTag: string, property: string){
  return xmlTag.replace('>',` ${property}>`);
}

Update: The workaround has been working good for me so far. Though I am still hoping for a official solution.

Adelost avatar Dec 14 '20 17:12 Adelost