forceauthn question

Hi,

SP is including forceauthn=true in request to NAM IDP, no problem that works as expected when NAM is doing the authentication using local contracts.

But customer also using external IDP configured for authentication and then forceauth first works in the sense that NAM is forcing users to select a authetication method.

But if users already is authenticated to external IDP the will get SSO there even if forceauthn was true in initial authnrequest.

I understand that I can enable forceauthn in external IDP configuration, but that will remove sso from all SP using that external IDP and there is only a few that don't want sso to happen.

Is there a way to configure NAM to add forceauthn=true if that is included in initial request?

/Lennart

  • 0  

    Hi Lennart!

    I actually don't know how to solve your problem, but would like to warn you regarding a bug/security issue that we have discovered when service providers (or OIDC clients) are using forcedAuthn and users are authenticating at external IDP.

    Note: we have forcedauthn set on external IDP, so this is not same issue as yours, but maybe this info can save you some gray hair.

    Hypothetical situation:

    • User A needs access to AM and authenticates (regardless how - local or external IDP)

    Then imagine that User B comes to this computer and User A has not properly logged out/closed the browser (this customer is using shared computers).

    1. User B tries to access Service provider with forcedauthn enabled
    2. User B is redirected to Access Manager login page, where selects authentication with external IDP
    3. User B is redirected to External IDP where successfully authenticates
    4. User B is redirected back to AM with SAML token from external IDP
    5. AM generates token for Service Provider, but this token is for User A
    6. User A is logged in to Service provider

    You can imagine a confusion since forcedauthn is normally used as a security measure to be absolutely sure that correct user is logging in.

    Looking at debug traces, it looks like error happens in step 4 where AM gets SAML token from external IDP and just decides that "user is logged in" and does not even try to do a matching to determine that wrong user is logged in.

    Please note that this does not happen if User B authenticates with local authentication.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hello Sebastijan,

    that we actually seen in real life at one of our customers. We raised a SR for that, I don't really recall how it was solved, will see if I can find something in my archives

    /Lennart

  • 0   in reply to 

    I would appreciate any information you have Blush

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button