Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to add ForceAuthn property to a SAML V2 request #1736

Open
Jlintonjr opened this issue May 27, 2022 · 5 comments
Open

Ability to add ForceAuthn property to a SAML V2 request #1736

Jlintonjr opened this issue May 27, 2022 · 5 comments
Labels
enhancement New feature or request feature

Comments

@Jlintonjr
Copy link

Jlintonjr commented May 27, 2022
edited by jobannon
Loading

Ability to add ForceAuthn property to a SAML V2 request

Problem

When a user authenticates through SAML V2 (particularly with Google), and the user selects an account to authenticate with, that selection is cached, and any subsequent authentications will not allow the user to be able to select which account they need to authenticate with.

Solution

Including the ForceAuthn property in the SAML request will allow the user to be able to choose which account they want to authenticate with each time they

Alternatives/workarounds

We have not been able to determine any current workarounds

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Additional context

First surfaced here: https://fusionauth.io/community/forum/topic/2070/is-there-a-way-to-add-the-forceauthn-property-to-a-saml-v2-request

3.4.1 Element

ForceAuthn [Optional]
A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than
rely on a previous security context. If a value is not provided, the default is "false". However, if both
ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the
presenter unless the constraints of IsPassive can be met.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Related -
@mooreds mooreds added enhancement New feature or request feature labels May 27, 2022
@mikemonaco
Copy link

@Jlintonjr were you able to find a workaround for this?

@Jlintonjr
Copy link
Author

Hi @mikemonaco. No, we have not been able to find a workaround.

@mooreds
Copy link
Collaborator

mooreds commented Feb 3, 2023

@Jlintonjr @mikemonaco have you considered using the SAML API?

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#start-a-saml-v2-login-request

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login

That should allow you to construct the SAML request exactly as you want, then complete it and log the user into FusionAuth. (The cost, of course, is that you won't be able to use the hosted login pages, which may be problematic).

@Jlintonjr
Copy link
Author

Unfortunately, that is a cost that we're not able to give up. But thank you for the suggestions!

@robotdan robotdan mentioned this issue Jun 15, 2023
Open
@brianjsw
Copy link

brianjsw commented Jun 7, 2024

I'll note that even if this was supported, my testing shows Google ignores ForceAuthN anyway. I was looking into creating a flow that causes the Google Account Chooser to be presented first, but didn't get any far due to lack of documentation on Google's site and lots of 400 Error codes when trying to provide a continue= parameter on accounts.google.com/AccountChooser.

@jobannon jobannon mentioned this issue Jan 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mooreds @brianjsw @mikemonaco @Jlintonjr