harrdou
commented
4 years ago That is not the expected outcome for step 6.
I suspect you may be encountering some new cookie blocking features that have been implemented in some browsers over the last few weeks. I'd suggest re-doing the test in a regular (not private) browser to see if it behaves differently. If you see the same behaviour then there may be an issue at the IDP.
lsleduc
The question is around the interpretation of the second bullet point for ForceAuthn in the CATS spec.
"if ForceAuthn is used and the authentication is successful, this will reset the IDPs AuthnInstant for this principal."
The below Test Case below, hopefully helps with context. When ForceAuthn is used, the IDP need to reset the users session and setup a new session with the RP that requested the ForceAuthn for that user (based on the second bullet of the spec, which says ‘…this will reset the IDPs AuthnInstant for this principal.’). This is what happens in Step 4. So the new session doesn’t contain anything for any other RPs which may have been logged into before by the user. Therefore, when the user now performs a logout from the RP that had requested the ForceAuthn (this is step 5), the user is not logged out of those other RPs (this is what step 6 highlights).
Test Case:
Is this the correct outcome for step 6? If not, what would be the solution? • Option 1: The logout in step 5, causes the other RPs to be logged out. • Option 2: When the user completes step 4, they should be logged out of all other RPs at that time.
Thanks