Opt out of SSO

Document ID : KB000073200
Last Modified Date : 22/05/2018
Show Technical Document Details
Introduction:
We want to have the user always have to reauthenticate on a federation transaction. Even if the user has a valid session and regardless of the protection level of the Authenticate Scheme used to create the current session.
 
Question:
Is there a way to force a user to reauthenticate on a federation transaction, even if the user has a valid session?
Environment:
SSO / Siteminder 12.52 
SSO 12.6
​SSO 12.7
Answer:
The use of "ForceAuthn" should meet your requirement. 
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/urls-to-initiate-single-sign-on#URLstoInitiateSingleSign-on-IdPProcessingoftheForceAuthnandIsPassiveQueryParameters 
--Excerpt-- 
If ForceAuthn=True in the AuthnRequest message, and a CA Single Sign-On session exists for a particular user, the IdP rechallenges the user for credentials. 
If the user successfully authenticates, the IdP includes the identity information from the existing session in the assertion. The IdP discards the session that it generated for reauthentication. 
A user can try to reauthenticate with different credentials than those used by the existing session. 
The IdP then compares the userDN and the user directory OID for the current and existing sessions. 
If the sessions are not for the same user, the IdP returns a SAML 2.0 response. The response indicates that the authentication has failed. 
If the SP sets ForceAuthn=True in the AuthnRequest message and there is no CA Single Sign-On session, the IdP challenges the user for credentials. 
If the user successfully authenticates, a session is established. 
Example: http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo&ForceAuthn=yes 
------------