Shibboleth Developers

["Jones, Mark B" <>]

Right, the original question was if an SP could force Shibboleth to ask the
user for their username/password (again) after having already successfully
authenticated.

-----Original Message-----
From: 

[mailto:]
 On Behalf Of Scott Cantor
Sent: Monday, September 27, 2010 11:20 AM
To: 

Subject: RE: [Shib-Dev] FW: [REDCap] E-Signature and Shibboleth

> What I am hearing is...  "technically, yes.  But practically, no."

What's the question? Validating passwords is not the job of the IdP, it's
the job of the authentication service(s) the IdP is using. If that's the use
case, it's not a SAML or IdP issue.

But you asked about forced authentication, and the answer is technically and
practically yes, if the SP does so properly and if the IdP is deployed to
support SAML 2 features like that. Lots of IdPs can do that. It's only a
problem when you get into more exotic deployments that punt to external SSO,
and even then it's sometimes possible.

-- Scott

Attachment: smime.p7s
Description: S/MIME cryptographic signature