How can Service Provider reinforce password prompt at IdP server?

Question

SAML 2.0 with the "POST" Binding: Is there any way for Service Provider to ask IdP for user re-authentication for the specific request? I mean first time web user enters login/password, than it stores some sort of cookie in a browser memory so that it remembers the user and does not ask him for password again next time inside the session. I want SP be able to enforce re-authentication which means a command to ask user for password again

The only similar thing I found (ForceAuthn) and it does not help me:

<samlp:AuthnRequest ForceAuthn="true" ... >

According to documentation ForceAuthn is exactly what I need, but for some reason Microsoft ADFS 2.0 completely ignores it not asking user for password

Answer 1

ADFS' default behavior to login a user on IdP side is 401 (NTLM) challenge, and all main stream browsers will cache user's id/pw input. Even though you specify "ForceAuthn=\"true\"", it wont help since the client side browser will send your cached id/pw again.

There is a way to change the default behavior on ADFS login strategy to adopt html form login. Supposing you are installing ADFS in default location, you can find c:\inetpub\adfs\ls\web.config. And there is <localAuthenticationTypes> element, and make sure you put <add name="Forms" page="FormsSignIn.aspx" /> as the first element in it. Also you can customize the login form page as you like.