Federation Manager Guide › Federation Partnerships › Web Links to Initiate Single Sign-on › IdP-initiated SSO (SAML 2.0 Artifact or POST) › ForceAuthn and IsPassive Processing at the IdP

ForceAuthn and IsPassive Processing at the IdP

If single sign-on is initiated by a Service Provider, that Service Provider may include a ForceAuthn or IsPassive query parameter in an AuthnRequest message.

Note: Federation Manager Identity Providers do not support the IsPassive query parameter; however, the IsPassive parameter may be included in an AuthnRequest message sent by a third-party Service Provider.

When a Service Provider includes ForceAuthn or IsPassive in the AuthnRequest, a Federation Manager Identity Provider handles these query parameters as follows:

ForceAuthn Handling

When a Service Provider includes ForceAuthn=True in the AuthnRequest message, a Federation Manager Identity Provider challenges the user for their credentials, regardless of whether or not a Federation Manager session exists. If the user successfully authenticates, a session is established.

IsPassive Handling

When a Service Provider includes IsPassive in the AuthnRequest and it cannot be honored by the Identity Provider, one of the following SAML responses is sent back to the Service Provider:

• If IsPassive=True in the AuthnRequest message and there is no Federation Manager session, a Federation Manager Identity Provider returns a SAML response that includes an error message because Federation Manager requires a session.
• If IsPassive=True in the AuthnRequest message and there is a Federation Manager session, the Federation Manager Identity Provider returns the assertion.
• If IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True, the Federation Manager Identity Provider returns an error because this is an invalid request. IsPassive and ForceAuthn are mutually exclusive.