SAML authentication - require a forced authorization on SAML assertion (no cached browser session)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2024 09:18 AM
I'm working on a CSM implementation with a public facing portal where the client has an SSO service for citizens with many different independant downstream services, including our SN portal. Their SSO system allows citizens to also have a secondary business profile, where they can submit inquiries separate as either themself (as a citizen) or on behalf of their business. On their SSO service, it's a single user with role based profiles, so as part of the integration, the unique ID that comes in to SN is the same (since in their system it's the same user). In SN, it gets set up as separate users to fit the CSM licensing and security model; Consumer / Consumer User for the citizen profile, and Contact / Account for the business profile. We are able to determine which profile is attempting to authenticate initially and it does so successfully. Here is where we run into the roadblock:
In the client SSO service, they have an integrated header with our SN portal that allows them to change their profile between individual and business on-the-fly (during their authenticated SN session). The problem is, it all happens in the same browser tab/session, navigates away from the SN portal, but when they switch to their business profile and click "login" again, the session is still authenticated as the citizen profile, so SN just drops them right back into the existing session and ignores doing the SAML assertion.
SN support says this is possible to do via customization, but I have not been able to figure it out. Does anyone know how to accomplish either of:
1) Is there a way to always force re-authentication on the SAML assertion, despite a cached browser session? We tried setting the "Force AuthnRequest" flag on the SAML iDP to true, but it did not change anything.
2) When SN has an authenticated browser session, opening a new tab or window in the same browser and putting in the base URL for the instance drops you into that same cached session. Is it possible to harden the instance so that any new tab/window would also require authentication?
