0

Actually, we use Google IdP as a SSO / SAML authentication type for our application. We have configured it to connect our users to our application and it works fine. But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.

In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.

When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.

Is that normal ? Does the Google IdP support the attribute ForceAuthn="true" ? I didn't find any documentation on this topic.

Here is an example of the SAML request that has been sent to the IdP:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                  
                    Version="2.0" 
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
                    AssertionConsumerServiceURL="#url_sp" 
                    ID="#id" 
                    IssueInstant="2021-05-31T15:34:19Z" 
                    Destination="https://accounts.google.com/o/saml2/idp?idpid=#id" 
                    ProviderName="#ip" 
                    IsPassive="false" 
                    ForceAuthn="true">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    #signature_info
  </Signature>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
2
  • You could redirect the user to https://www.google.com/accounts/Logout?continue={your_login_url} before initiating the SAML flow to log him out of the Google account.
    – dishant makwana
    Commented Jun 1, 2021 at 11:44
  • I want to keep my "main" session as a valid session. The SAML login attempt would be only requested for the "sensitive" action to validate. If the user decides to not reauthenticate himself, he should continue in the application with his "main" session.
    – NicoFC34
    Commented Jun 2, 2021 at 12:15

1 Answer 1

Reset to default
2

Official answer from Google support:

I'd like to mention that Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths" which will apply to Google services as described in the following document < https://support.google.com/a/answer/7576830 > I'd also like to mention that these type of requests have been made to our team previously and there is an existing request managed internally that is yet to be implemented and for which I have attached to your ticket; this way the request will add wait to the number of users in need of the feature. You may also submit it as a feature request. The page at https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-feature-ideas-access-information has more details about filing feature ideas.

4
  • +1 for posting some information from Google's response. Can you expand your answer with more details from Google's reply?
    – John Hanley
    Commented Jun 10, 2021 at 18:17
  • Nothing more to say except there is an existing enhancement request that already exists and they have added my need to this request.
    – NicoFC34
    Commented Jun 14, 2021 at 7:31
  • @NicoFC34 Can you please provide a link to the existing enhancement request and/or the official response? (if it's from a public knowledge article)
    – shaythan
    Commented Jul 2, 2023 at 13:08
  • 1
    @shaythan it seems to be an "internal" request, sorry.
    – NicoFC34
    Commented Jul 3, 2023 at 14:08

Not the answer you're looking for? Browse other questions tagged or ask your own question.