...
To implement this, the target application (SAML SP) must use the SAML2 options ForceAuthn and OneTimeUse settings in the authentication request (AuthnRequest). This can also be implemented by corresponding agent application settings regardless of the agent application type (see the following picture).
|
|---|
ForceAuthn ensures that the user is prompted to authenticate again even if they have an existing session which meets all other request requirements. Any existing SSO session is ignored.
OneTimeUse ensures that the newly generated IDP session cannot be used for access to any subsequent SP.
...
For even more advanced use cases, application specific session timing requirements can be satisfied programmatically. Using the LoginEvent of the API, it is possible to check the time and date of the original user authentication, time and date that the SP assertion was issued and time and date after which the IDP application session lifetime ends. The LoginEvent has access to the following UbiloginSAMLAssertion object and AuthnContext methods:
getAuthnInstant()- the time and date of the original user authenticationgetIssueInstant()- the time and date of the assertion issue at the IDPgetSessionNotOnOrAfter()- time and date after which the IDP application session lifetime ends
...