search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
89 stars 12 forks source link

Ability to add `ForceAuthn` property to a SAML V2 request #1736

Open Jlintonjr opened 2 years ago

Jlintonjr commented 2 years ago

Ability to add ForceAuthn property to a SAML V2 request

Problem

When a user authenticates through SAML V2 (particularly with Google), and the user selects an account to authenticate with, that selection is cached, and any subsequent authentications will not allow the user to be able to select which account they need to authenticate with.

Solution

Including the ForceAuthn property in the SAML request will allow the user to be able to choose which account they want to authenticate with each time they

Alternatives/workarounds

We have not been able to determine any current workarounds

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Additional context

First surfaced here: https://fusionauth.io/community/forum/topic/2070/is-there-a-way-to-add-the-forceauthn-property-to-a-saml-v2-request

3.4.1 Element

ForceAuthn [Optional] A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

mikemonaco commented 1 year ago

@Jlintonjr were you able to find a workaround for this?

Jlintonjr commented 1 year ago

Hi @mikemonaco. No, we have not been able to find a workaround.

mooreds commented 1 year ago

@Jlintonjr @mikemonaco have you considered using the SAML API?

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#start-a-saml-v2-login-request

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login

That should allow you to construct the SAML request exactly as you want, then complete it and log the user into FusionAuth. (The cost, of course, is that you won't be able to use the hosted login pages, which may be problematic).

Jlintonjr commented 1 year ago

Unfortunately, that is a cost that we're not able to give up. But thank you for the suggestions!

brianjsw commented 3 months ago

I'll note that even if this was supported, my testing shows Google ignores ForceAuthN anyway. I was looking into creating a flow that causes the Google Account Chooser to be presented first, but didn't get any far due to lack of documentation on Google's site and lots of 400 Error codes when trying to provide a continue= parameter on accounts.google.com/AccountChooser.