How to enable forceAuthn true in saml request(SP intiated)

Hi there,
Am using openam 6.5.5, how to enable ForceAuthn =“true” by default it is coming as false, and also wanted to have IsPassive=“true” in the saml request. See below sample request for your reference.e

<samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
AssertionConsumerServiceURL=“http://iamsp.example.com:8991/am655sp/Consumer/metaAlias/sp
Destination=“http://iam.example.com:8991/am655/SSOPOST/metaAlias/testAdv/idp
ForceAuthn=“false”
ID=“s285388f0ddb35ee14182a569312c7109153b23474”
IsPassive=“false”
IssueInstant=“2022-09-08T00:16:27Z”
ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Version=“2.0”

thanks

Can you provide more details on how you are starting/setting the request? Is there a sample of the Spinit url you started with or how are you trying to set this by default?

There was a Jira around ForceAuth and SAML this fixed in 6.5.3 so this should work.

This did rely on a new Advanced property org.forgerock.openam.saml2.authenticatorlookup.skewAllowance:
Default to 60 seconds

But this wouldn’t have changed that ForceAuthn=true/or false, this affected more removing any existing sessions to ensure the user is prompted.

It depends on how you initiate SAML authn at your hosted SP. If using the spssoinit endpoint or spSSOInit.jsp, then you can use the ForceAuthn and isPassive request parameters to control the contents of the SAML authentication request.
When using the SAML2 module/node, usually the module/node will have a setting for these sort of things. If memory serves passive authentication does not work with the node though.

2 Likes

Hi William, Thanks for reverting back.Below is the sample url
http://iamsp.example.com:8991/am655sp/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=HTTP-POST&idpEntityID=http://iam.example.com:8991/am655

So like Peter pointed out if your using http://iamsp.example.com:8991/am655sp/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=HTTP-POST&idpEntityID=http://iam.example.com:8991/am655

This is a query parameter:
https://backstage.forgerock.com/docs/am/7.2/saml2-guide/saml2-standalone-mode.html
then you would need to add the query parameters like the following:

http://iamsp.example.com:8991/am655sp/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=HTTP-POST&idpEntityID=http://iam.example.com:8991/am655?ForceAuth=true

Thanks for the info.
I want to have the previous session as well in the query parameter, is the below formatting correct?
FYI info: upon the previous session, I will have a different authentication tree service mapped at IDP assertion context.
http://sp.com:8991/am655sp/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=HTTP-POST&idpEntityID=http://iam.example.com:8991/am655?ForceAuth=true&IsPassive=true&authnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession.

Hi Experts,
Any update on it? Let me know if you got any questions.

That looks correct did you try that and get any different results ?