Previous Topic: SessionNotOnOrAfter Parameter Could Not Be Modified (128759,109961)Next Topic: Federation Web Services Cannot Decode SMSESSION Cookie on Tomcat (129196)

Release NotesFederation Security Services Release NotesFixes in r12 SP3Problem with Forced Authentication When User Identity Changes (125553)

Problem with Forced Authentication When User Identity Changes (125553)

Symptom:

A user must reauthenticate at an IdP even though they have a session because the SP authentication request includes the query parameter ForceAuthn = True. The user reauthenticates with different credentials than the credentials he used to establish the original session. The IdP returns a SAML assertion, but it contains the user identity information from the original session, not the current session.

Solution:

Federation Security Services has been modified so that the IdP compares the userDN and the user directory OID for the current and existing sessions. If the sessions are not for the same user, the IdP returns a SAML 2.0 response indicating that the authentication has failed.

STAR Issue: 19742014