Enabling Forced Reauthentication
To force a user to reauthenticate while accessing an application, even if a valid IDCS session is available, set forceReauthenticateAfterInMinutes using the REST API endpoint.
To enable this functionality, the access.sso.session.max.age feature needs to be enabled.
IDCS maintains the attribute forceReauthenticateAfterInMinutes at the application level. When an application makes an authentication request to IDCS, IDCS evaluates if the time duration since last authentication has exceeded the value set in the forceReauthenticateAfterInMinutes attribute for that app. If it has, then IDCS forces the user to reauthenticate. By default the value is NULL and reauthentication isn't enforced.
Possible values for this attribute:
-
NULL (default)—No reauthentication
-
-1—No reauthentication
-
0 to 32767—Duration in minutes after which a user is forced to reauthenticate
If authenticating with external identity providers, IDCS tries to enforce reauthentication at the external IdPs.
- For OIDC, IDCS passes the max_age attribute in the /authorize request.
- For SAML, based on AuthNInstant returned in the SAML response by the external identity provider, IDCS sends a second SAML request to the IdP with
ForceAuthn=true.
forceReauthenticateAfterInMinutes value configured at the app level.When IDCS is federated to an external identity provider, IDCS can't guarantee if a user is forced to reauthenticate by an external identity provider. The behavior depends on how OIDC/SAML protocols are implemented at the external identity provider.
forceReauthenticateAfterInMinutes attribute on app.
curl --location --request PATCH 'https://{{IDCS_HOST}}/admin/v1/Apps/{{APP_ID}}' --header 'X-RESOURCE-IDENTITY-DOMAIN-NAME: tenantsp' --header 'Authorization: Bearer {{IDENTITY_DOMAIN_ADMINSTRATOR_TOKEN}}' --header 'Content-Type: application/json' --data-raw '{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"path": "forceReauthenticateAfterInMinutes",
"value": {{value}}
}
]
}'