Created
March 18, 2022 17:44
-
-
Save aaronanderson/1e32ba706dd818ac3a51a56f25fbcd12 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here is the process to generate a static Azure AD SAML Service Provider (SP) Link that forces reauthentication(forceAuthN), similar to the oauth prompt=login setting: | |
| 1. Edit the following single line XML, replacing the acme-prod value with whatever Entity ID value was setup in the Azure AD SAML application. Notice the presence of the ForceAuthn attribute. The ID and IssueInstant can be any valid value. | |
| <samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="workday_azure_ad_saml" Version="2.0" ForceAuthn="true" IssueInstant="2000-01-01T00:00:00.0000000Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://www.workday.com/acme-prod</Issuer></samlp:AuthnRequest> | |
| 2. Go to https://developers.onelogin.com/saml/online-tools/code-decode/deflate-base64-encode and deflate and encode the request. | |
| 3. Copy the encoded value and URL encode it using any online URL encoding site | |
| 4. Append the URL encoded value to the application's SAML login link as the SAMLRequest parameter like so: https://login.microsoftonline.com/<tenant ID>/saml2?SAMLRequest=jZBBa8MwDIX%2F... | |
| Access the URL and login to AD and the application. Re-access the URL and confirm reauthentication is required. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment