Search code examples
google-cloud-platformsamlsaml-2.0idp

Use the SAML attribute ForceAuthn with Google IdP

Actually, we use Google IdP as a SSO / SAML authentication type for our application. We have configured it to connect our users to our application and it works fine. But recently, we have also wanted to ask a reauthentication to our users for different actions that could happen during the application lifecycle.

In deeper details, when we send a SAML request to the Google Idp, we add the attribute ForceAuthn="true" in the node "AuthnRequest" and we also add a AuthnContextClassRef to ask explicitly that we want a reauthentication by credentials.

When we send this SAML request to the Google IdP, the problem is that the IdP server doesn't ask credentials to the end user and redirect directly to the application with a successful response.

Is that normal ? Does the Google IdP support the attribute ForceAuthn="true" ? I didn't find any documentation on this topic.

Here is an example of the SAML request that has been sent to the IdP:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                  
                    Version="2.0" 
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
                    AssertionConsumerServiceURL="#url_sp" 
                    ID="#id" 
                    IssueInstant="2021-05-31T15:34:19Z" 
                    Destination="https://accounts.google.com/o/saml2/idp?idpid=#id" 
                    ProviderName="#ip" 
                    IsPassive="false" 
                    ForceAuthn="true">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#url_sp</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    #signature_info
  </Signature>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Solution

  • Official answer from Google support:

    I'd like to mention that Google doesn't currently implement Single Log out/account reauthentication, for SAML authorized services. You may alternatively have the use of "session lengths" which will apply to Google services as described in the following document < https://support.google.com/a/answer/7576830 > I'd also like to mention that these type of requests have been made to our team previously and there is an existing request managed internally that is yet to be implemented and for which I have attached to your ticket; this way the request will add wait to the number of users in need of the feature. You may also submit it as a feature request. The page at https://www.cloudconnectcommunity.com/ccc/ls/community/g-suite-feature-ideas-access-information has more details about filing feature ideas.