Sometimes, you need to ensure that users authenticate every time they access an application, even if they have an active session. This can be useful for enhancing security or meeting compliance requirements. Here’s how to configure this behavior for both OpenID Connect (OIDC) and SAML applications.
For OIDC Apps: Use the prompt=login Parameter
OpenID Connect (OIDC) allows you to force user authentication by including the prompt=login parameter in the authorization request. This ensures the user is prompted to log in every time they access the app, regardless of their existing session.
Example: OIDC Authorization Request
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?response_type=code
&client_id=blf6xxxx-xxxx-xxxx-21cd2263xxxx
&redirect_uri=https://jwt.ms
&scope=openid profile User.Read
&prompt=login
Key Parameters Explained
response_type=code: Specifies the authorization code flow.client_id: The application’s unique identifier.redirect_uri: The URI to redirect the user after authentication.scope: Defines the permissions the app is requesting.prompt=login: Forces the user to authenticate every time.
For SAML Apps: Use the ForceAuthn Attribute
In SAML, you can achieve the same effect by setting the ForceAuthn attribute to true in the authentication request. This instructs the identity provider (IdP) to require the user to authenticate, even if they have an active session.
Example: SAML Authentication Request
<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="C2d2FH4oiJ5kL6mN7oPQgR9tOUvIw"
Version="2.0"
IssueInstant="2013-03-18T03:28:54.1839884Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<ForceAuthn>true</ForceAuthn>
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
https://www.contoso.com
</Issuer>
</samlp:AuthnRequest>
Key Attributes Explained
ForceAuthn=true: Ensures the IdP requires the user to authenticate.Issuer: Identifies the entity making the authentication request.
Why Force Authentication?
Forcing user authentication every time they access an application can be beneficial in scenarios such as:
- Enhanced Security: Prevent unauthorized access due to stale sessions.
- Compliance: Meet regulatory requirements for frequent authentication.
- Sensitive Applications: Protect apps handling critical or confidential data.
Conclusion
Whether you’re using OIDC or SAML, forcing user authentication ensures a higher level of security and control over access to your applications. Use prompt=login for OIDC apps and ForceAuthn=true for SAML apps to implement this feature effectively.