服务提供商如何在 IdP 服务器上加强密码提示? [英] How can Service Provider reinforce password prompt at IdP server?
问题描述
带有POST"绑定的 SAML 2.0:服务提供商有什么方法可以要求 IdP 对特定请求进行用户重新身份验证?我的意思是网络用户第一次输入登录名/密码时,它会在浏览器内存中存储某种 cookie,以便它记住用户并且下次在会话中不再要求他输入密码.我希望 SP 能够强制重新验证,这意味着再次要求用户输入密码的命令
SAML 2.0 with the "POST" Binding: Is there any way for Service Provider to ask IdP for user re-authentication for the specific request? I mean first time web user enters login/password, than it stores some sort of cookie in a browser memory so that it remembers the user and does not ask him for password again next time inside the session. I want SP be able to enforce re-authentication which means a command to ask user for password again
我发现的唯一类似的东西 (ForceAuthn) 对我没有帮助:
The only similar thing I found (ForceAuthn) and it does not help me:
<samlp:AuthnRequest ForceAuthn="true" ... >
根据文档 ForceAuthn 正是我所需要的,但出于某种原因,Microsoft ADFS 2.0 完全忽略了它而不要求用户输入密码
According to documentation ForceAuthn is exactly what I need, but for some reason Microsoft ADFS 2.0 completely ignores it not asking user for password
推荐答案
ADFS 在 IdP 端登录用户的默认行为是 401 (NTLM) 质询,所有主流浏览器都会缓存用户的 id/pw 输入.即使您指定ForceAuthn=\"true\"",也无济于事,因为客户端浏览器会再次发送您缓存的 id/pw.
ADFS' default behavior to login a user on IdP side is 401 (NTLM) challenge, and all main stream browsers will cache user's id/pw input. Even though you specify "ForceAuthn=\"true\"", it wont help since the client side browser will send your cached id/pw again.
有一种方法可以将 ADFS 登录策略的默认行为更改为采用 html 表单登录.假设您在默认位置安装 ADFS,您可以找到 c:\inetpub\adfs\ls\web.config.并且有
There is a way to change the default behavior on ADFS login strategy to adopt html form login. Supposing you are installing ADFS in default location, you can find c:\inetpub\adfs\ls\web.config. And there is <localAuthenticationTypes> element, and make sure you put <add name="Forms" page="FormsSignIn.aspx" /> as the first element in it. Also you can customize the login form page as you like.
这篇关于服务提供商如何在 IdP 服务器上加强密码提示?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
