IBM Security Verify

Shape the future of IBM Security Verify

We invite you to shape the future of IBM, including the product roadmap, by submitting ideas that matter to you the most.

Here's how it works:

Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Submit a private idea

If you have confidential information or customer data to share with your idea, then - DO NOT submit using the link below, instead - please open a private feature request.

And finally - if its an issue with expected behaviour, a product defect or a support need, open a Support Case

Forward requirement for forced authentication to SAML/OIDC identity source

Both OIDC and SAML provide mechanisms for the Relying Party/Service Provider to require that the IdP perform an authentication - even if the user already has a session. This is used to force reauthentication.

When IBM Security Verify is acting as a broker (it receives a login request and forwards to an Identity Source for login) it needs to forward this requirement for reauthentication if it received.

  • Guest
  • Jul 23 2021
  • Delivered
  • Guest commented
    2 Aug, 2021 02:01pm

    The requirement is to force authenticate the user again against the external SAML IDP even if the user has a valid session and has already been authenticated against the IDP earlier. This can be achieved by sending ForceAuthn="true" flag in the SAML authentication request to external IDP. Along with the request a relaystate parameters needs to be passed to external IDP with the URL to redirect the user to post successful authentication.

    Sample SAML authentication request is provided below with ForceAuthn="true" flag.

    <AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"

    ForceAuthn="true"

    Destination="https://federation.exostartest.com/idp/SSO.saml2"

    ID="_ca0e0d20c54a769cca15f13ccfbd2078f537"

    IssueInstant="2021-08-02T11:50:04Z"

    Version="2.0"

    >

    <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">SIPTESTCORE</ns1:Issuer>

    </AuthnRequest>

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.