3

My question is very similar to: How should I be implementing the HTTP POST Protocol Binding for SAML WebSSO Profile?

But I couldn't find a proper answer in it. Is it possible to send a request via an HTTP-Post binding with isPassive set to true. The Oasis specifications say that the IdP must not "visibly" take control of the user interface. Thus the IdP must be aware of the user somehow.

If the user is already active on a session on the SP side, how do I relay that information to the IdP and have them re-authenticate the user?

I want to verify the user, without hindering the user's flow...

Community
  • 1
  • 1
anpatel
  • 1,952
  • 4
  • 19
  • 36

1 Answers1

0

There are a few common ways to re-authenticate a user with IsPassive=true. For example, Integrated Windows Auth (Kerberos) and x509 Cert Based Auth can both be done w/out visibly working with the user's experience.

If you combine a ForceAuthn=true and IsPassive=true in your AuthnRequest, it should force the IDP to re-authenticate the user if both conditions can be met.

Ian
  • 4,227
  • 18
  • 19