Forced authentication for service provider-initiated SSO flows

This optional feature can be adopted by developers who require that an end user be explicitly authenticated (by entering a username and password) every time the developer sends an authentication request to an AppDirect-powered marketplace. For example, to be compliant with the Health Insurance Portability and Accountability Act (HIPAA), developers may rely on forced authentication to ensure a higher degree of security for their SSO integrations.

Developers can choose to require that a user re-authenticate by including the prompt _query_ parameter in the request sent to the authorization endpoint. If the parameter is detected by the marketplace receiving the request and contains the value _login_ then the user is required to re-authenticate, even if an active session is detected.

Following is an example of the prompt query parameter included in the authorization request:

https://marketplace.exampletelco.com/oauth2/authorize?response_type=code

&scope=openid profile email

&client_id=s6BhdRkqt3

&state=af0ifjsldkj

&prompt=login

&redirect_uri=https://www.isv.com/callback