Forced authentication for service provider-initiated SSO flows

Developers can modify the SSO integration for their application to always require users to re-authenticate during service provider-initiated SSO flows.

This optional feature can be adopted by Developers who require that an end user be explicitly authenticated (by entering a username and password) every time the Developer sends an authentication request to an AppDirect-powered marketplace. For example, to be compliant with the Health Insurance Portability and Accountability Act (HIPAA), Developers may rely on forced authentication to ensure a higher degree of security for their SSO integrations.

Developers can choose to require that a user re-authenticate by adding the “ForceAuthn” element to their SAML authentication request. If the parameter is detected by the marketplace receiving the request, the user is required to re-authenticate, even if an active session is detected.

The following is an example of the ForceAuthn element included in a SAML authentication request:

<samlp:AuthnRequest

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="oopigolkmdiookacmlnlijnlebchconennneigadg"

Version="2.0"

IssueInstant="2017-11-09T19:11:19Z"

​   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

ProviderName="example.com"

​   IsPassive="false"

AssertionConsumerServiceURL="http://www.example.com/saml/acs"

**ForceAuthn="true">**

...

</samlp:AuthnRequest>