Allow "ForceAuthn" in the SAML AuthnRequest to be configurable as True or False

[vsamtani]

Currently the AuthnRequest attribute ForceAuthn is always "false". Could that be determined by a configuration directive instead?

mod_auth_mellon/auth_mellon_handler.c

Line 3017 in d5cfa39

request->ForceAuthn = FALSE;

[BriceDuchatel]

Oh yes ! It would be really good!

[thijskh]

This would of course be possible to allow someone to configure.

However I'd like to caution against using this option as it's far from a robust security measure, although it suggests it is. ForceAuthn cannot really be enforced, it's just a hint mostly. As mod_auth_mellon allows unsolicited (idp-first) SSO, there's a trivial way around this security measure in many cases if you want to.

[vsamtani]

Agreed, it's not a solid security measure. It's more about UX. There are use cases where the SP owner wants to request user-interactive authentication at the IDP, with the caveat that it could be overridden. Shibboleth permits this in configuration, but we can't swap out Shib for mod_auth_mellon in those use cases unless we can replicate the behaviour.

[thijskh]

A pull request would be welcome, I'd recommend to add a disclaimer along these lines in the documentation of the config option.

[vsamtani]

Sadly, I'm an interested user, not a developer, so I hope someone with the right skills can pick this up and make it happen.... :)

[kubik256]

Any update on this topic?
Every other SAML integration have this option :-(