Ability to add `ForceAuthn` property to a SAML V2 request

[Jlintonjr]

Ability to add ForceAuthn property to a SAML V2 request

Problem

When a user authenticates through SAML V2 (particularly with Google), and the user selects an account to authenticate with, that selection is cached, and any subsequent authentications will not allow the user to be able to select which account they need to authenticate with.

Solution

Including the ForceAuthn property in the SAML request will allow the user to be able to choose which account they want to authenticate with each time they

Alternatives/workarounds

We have not been able to determine any current workarounds

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

Additional context

First surfaced here: https://fusionauth.io/community/forum/topic/2070/is-there-a-way-to-add-the-forceauthn-property-to-a-saml-v2-request

3.4.1 Element

ForceAuthn [Optional]
A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than
rely on a previous security context. If a value is not provided, the default is "false". However, if both
ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the
presenter unless the constraints of IsPassive can be met.

https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Related -

• Support ForceAuthn attribute when FusionAuth is the IdP via SAML v2.0 #2989

[mikemonaco]

@Jlintonjr were you able to find a workaround for this?

[Jlintonjr]

Hi @mikemonaco. No, we have not been able to find a workaround.

[mooreds]

@Jlintonjr @mikemonaco have you considered using the SAML API?

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#start-a-saml-v2-login-request

https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login

That should allow you to construct the SAML request exactly as you want, then complete it and log the user into FusionAuth. (The cost, of course, is that you won't be able to use the hosted login pages, which may be problematic).

[Jlintonjr]

Unfortunately, that is a cost that we're not able to give up. But thank you for the suggestions!

[brianjsw]

I'll note that even if this was supported, my testing shows Google ignores ForceAuthN anyway. I was looking into creating a flow that causes the Google Account Chooser to be presented first, but didn't get any far due to lack of documentation on Google's site and lots of 400 Error codes when trying to provide a continue= parameter on accounts.google.com/AccountChooser.

[robotdan]

This is code complete, and coming shortly!

[robotdan]

Will be delivered via #2989.