[英]asked to reauthenticate with the same IDP - Spring SAML
@vschafer @vschafer
I have a scenario where my application acts as one of the service providers. 我有一个方案,其中我的应用程序充当服务提供商之一。 My application interacts with another service provider as well to get access. 我的应用程序还与其他服务提供商进行交互以获取访问权限。 But both the service providers are communicating with the same IDP for authentication. 但是,两个服务提供商都与同一个IDP通信以进行身份验证。
I believe the user should not be allowed to authenticate again forcefully. 我认为不应允许用户再次强制进行身份验证。 Please let me know if my understanding on the same is correct or not. 请让我知道我的理解是否正确。
More over, does forceAuthn has a role to play in this scenario?? 此外,在这种情况下,forceAuthn是否可以发挥作用?
All of this should not be in any way related to your application or Spring SAML. 所有这些都不应该与您的应用程序或Spring SAML有任何关系。 Once you redirect user to the second application (step 4), it is its responsibility to interact with the IDP (send its own AuthnRequest
and receive a Response
) and there's nothing you can affect about it anymore. 一旦将用户重定向到第二个应用程序(第4步),它就有责任与IDP进行交互(发送自己的AuthnRequest
并接收Response
),并且您对此没有任何影响。
It is possible that the second application is setting the forceAuthn
flag when sending AuthnRequest
to the IDP - forcing the IDP to re-authenticate your user. 当将AuthnRequest
发送到IDP时,第二个应用程序可能会设置forceAuthn
标志-强制IDP重新验证用户。 It could also be related to some setting on the IDP side, or perhaps some cookie problems. 它也可能与IDP端的某些设置有关,或者可能与某些cookie问题有关。 You should communicate with the IDP's owners and ask them to troubleshoot why is the user asked for re-authentication (for example by examining their logs) instead of being single signed-on. 您应该与IDP的所有者进行沟通,并要求他们解决为什么用户要求重新认证(例如,通过检查其日志)而不是单点登录的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.