This article describes the function of the "Honor Force Authentication" setting in a Security Assertion Markup Language (SAML) application and walks through how to configure it.
- Custom SAML application
- Honor Force Authentication
- Security Assertion Markup Language (SAML)
The need to honor force authentication can arise when it is necessary to ensure that users are re-authenticated, even if there is already an existing session.
With SAML, the ForceAuthn attribute ensures that users are prompted for authentication again, even if they have an active session with the Identity Provider (IdP). The attribute is sent as part of the AuthnRequest during a Service Provider (SP) initiated login flow to the IdP.
When the attribute is set to true, it forces the IdP to prompt the user for authentication, regardless of an existing session. If the attribute is set to false, the IdP may use an existing session to authenticate the user without prompting the user to log in again. "Honor Force Authentication" determines whether the ForceAuthn attribute is enforced or ignored.
To configure Honor Force Authentication, please follow the steps below:
- Navigate to Applications > Applications.
- Click on the <Custom SAML App name>.
- Go to the General tab > SAML Settings > click Edit.
- Click on Show Advanced Settings under the SAML Settings > scroll down to Honor Force Authentication.
- Select Yes to require users to authenticate even if they have an active session, or select No to ignore the ForceAuthn attribute, permitting the use of an existing session.
