This week CILogon added support for a new customization: required authentication (a.k.a. forced authentication).

CILogon relies on external identity providers for authentication of users. These identity providers implement web single sign-on (SSO), either via SAML (for InCommon IdPs) or OpenID (for Google, PayPal, and Verisign). If a user has recently logged on to a web site via an identity provider, SSO means that using the same identity provider to log on to CILogon won't require the user to authenticate again (i.e., won't require the user to type a password again). The identity provider implements SSO by setting a cookie in the user's web browser to remember the user's identity. SSO avoids the inconvenience of typing passwords many times throughout the day and potentially reduces the risk of typing a password by mistake on an attacker's phishing web site. However, SSO requires users to maintain control over their web browsers, so someone else doesn't use their cookies to access web sites using their identity. Different identity providers set different lifetimes on SSO cookies. Some may set cookies to be removed when you close your browser; others may require you to explicitly log out to delete your cookie. Logging out reliably across many web sites (called single sign-out or single log out) is a significant challenge.

Some applications want to bypass SSO and require the user to authenticate again, for greater confidence that the user's identity is correct and isn't being used by someone else sharing the user's web browser. In SAML 2.0, the ForceAuthn attribute of the AuthnRequest can ask the IdP to require re-authentication. In OpenID, including openid.pape.max_auth_age=0 in the authentication request has the same effect. CILogon partners can now require re-authentication for their applications, along with many other available CILogon customization options, for more seamlessly integrating CILogon into their cyberinfrastructure.

For more details, please contact us at help@cilogon.org.