Support `ForceAuthn` attribute when FusionAuth is the IdP via SAML v2.0

[jobannon]

Problem

There are times when I am needing FusionAuth to not retain the SSO session for a SAML login.

Solution

The ForceAuthn parameter should allow for me to prevent the user from relying on any previous session state.

doc reference from saml core v 2.0

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Alternatives/workarounds

Do not use FusionAuth SSO sessions in the tenant (set the TTL to 0). In this manner, SP's will not be able to pick up any previous state related to a user's session in FusionAuth

Additional context

Customer request - https://fusionauth.zendesk.com/agent/tickets/77731

Related ask to propegate this attribute to federated logins as well

• Ability to add ForceAuthn property to a SAML V2 request #1736

This basically feels like the SAML version of the OIDC prompt parameter -

• Support the prompt parameter #2208

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[kelly-walton-advarra]

We need this to support 21CFR part 11 compliant eSignature which requires that we reprompt the user for their credentials to verify their signature on documents.