Correct interpretation of SAML ForceAuthn parameter

Question

The SAML standard defines the ForceAuthn attribute of <AuthnRequest> as follows:

A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met.

What I don't understand is whether ForceAuthn should only affect the service provider that's making the request, or whether it should require reauthentication globally as with single logout. What is the correct way to interpret ForceAuthn for SSO?

Answer 1

Based on the section quoted I would tend to interpret it as it is written. it does not say anything about a single logout being forced. instead it seems to indicate it is for the purposes of the AuthnRequest that includes the ForceAuthn attribute.

I would think that An AuthnRequest for one service provider should not invalidate the sessions of another service provider. The LogoutRequest is used for that.

Answer 2

ForceAuthn should only affect the service provider that's making the request

This is how I understand the ForceAuthn parameter, or more specifically only affects a specific AuthnRequest. You can have the following scenario:

1. Service Provider 1 sends an AuthnRequest with ForceAuthn = false. You need to log in. A login session is established.
2. 10 minutes later, you access a functionality that requires high security. To make sure that it's you (and is not someone else who is using your machine while you are away), the SP sends you to the Identity Provider with ForceAuthn = true to force you to log in again.
3. You then access SP2. This one sends an AuthnRequest with ForceAuthn = false. You are logged in automatically thanks to SSO.
4. Finally, you access SP3. This application, due to its security policy, requires users to always log in, so it sends an AuthnRequest with ForceAuthn = true.