Forced Authentication with Shibboleth SP
Single sign-on (SSO) allows users to authenticate once against an Identity Provider (IdP), and get "automatically" logged into one or more Service Providers (SPs), without need to re-authenticate for a period of time determined by the length of the IdP's "session" (often taking the form of a cookie stored in the user's browser).
Some services require an additional layer of security. They require the user to enter their login and password every time they enter the application. This is typically due to the nature of the application - i.e. higher-risk data like payroll - and hence the SP can send a SAML AuthnRequest with a special
forceAuthn flag, like so:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d7d60924682b543f51b9f6eb9810b75e" IssueInstant=""2020-01-01T00:00:00Z" Destination="http://idp.example.com/idp/profile/SAML2/Redirect/SSO" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/Shibboleth.sso/SAML2/POST" Version="2.0" ForceAuthn="true"> <saml:Issuer>http://sp.example.com/shibboleth</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>
In order to configure Shibboleth SP to generate this kind of request, there are two elements in
shibboleth2.xml that need to be adjusted:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" maxTimeSinceAuthn="10" checkAddress="false" handlerSSL="true" cookieProps="https">
First, in the
<Sessions> element, set the
maxTimeSinceAuthn parameter to some short interval. This checks that an actual username and password was entered in the last specified number seconds (the example here sets it to 10 seconds).
Next, in the
<SSO entityID="http://idp.example.com/idp/shibboleth" forceAuthn="true" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
forceAuthn flag set with a value of
Step Up Authentication
Note, that these settings can be applied in any application declaration, whether it be the default setting, or you utilize an
ApplicationOverride to establish a second, logical SP. The latter scenario is often utilized when employing "step-up" authentication.
For example, you may have one or more paths which you'd want to protect with an added layer of security. In this case, you can deploy an
ApplicationOverride that's also integrated with your partner IdP, and protect that content with the second application in Shibboleth. In terms of Apache config, it may look something like this:
<Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting entityID http://idp.example.com/idp/shibboleth require shib-session </Location> <Location /secure/supersecure> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting applicationId MyForceAuthnApp ShibRequestSetting entityID http://idp.example.com/idp/shibboleth require shib-session </Location>
where you configure an
ApplicationOverride with the id
MyForceAuthnApp to have the relevant
<SSO> blocks above.
Looking for support for Shibboleth? Look no further! Contact us for all of you SSO support needs!