diff --git a/AUTHORS.md b/AUTHORS.md index 69f18f4..ebd98d2 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -61,4 +61,5 @@ an issue. - [Michael V. Battista](https://github.com/mvbattista) - [William Abbott](https://github.com/wrabit) - [Henry Harutyunyan](https://github.com/henryh9n) (Revolut) -- [Noppanut Ploywong](https://github.com/noppanut15) \ No newline at end of file +- [Noppanut Ploywong](https://github.com/noppanut15) +- [Mohammed Almeshal](https://github.com/MohammedAlmeshal) \ No newline at end of file diff --git a/README.md b/README.md index 3069f7a..dd09b5c 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,7 @@ python setup.py install 'LOGOUT_REQUESTS_SIGNED': True, # Require each logout request to be signed 'WANT_ASSERTIONS_SIGNED': True, # Require each assertion to be signed 'WANT_RESPONSE_SIGNED': True, # Require response to be signed + 'FORCE_AUTHN': False, # Forces the user to re-authenticate with each authentication request 'ACCEPTED_TIME_DIFF': None, # Accepted time difference between your server and the Identity Provider 'ALLOWED_REDIRECT_HOSTS': ["https://myfrontendclient.com"], # Allowed hosts to redirect to using the ?next parameter 'TOKEN_REQUIRED': True, # Whether or not to require the token parameter in the SAML assertion @@ -278,6 +279,7 @@ Some of the following settings are related to how this module operates. The rest | **LOGOUT\_REQUESTS\_SIGNED** | Set this to `False` if your provider doesn't sign each logout request. | `bool` | `True` | | | **WANT\_ASSERTIONS\_SIGNED** | Set this to `False` if your provider doesn't sign each assertion. | `bool` | `True` | | | **WANT\_RESPONSE\_SIGNED** | Set this to `False` if you don't want your provider to sign the response. | `bool` | `True` | | +| **FORCE\_AUTHN** | SAML2 request attribute that forces the user to re-authenticate with the Identity Provider (IdP), even if they already have an active session. | `bool` | `False` | | | **ACCEPTED\_TIME\_DIFF** | Sets the [accepted time diff](https://pysaml2.readthedocs.io/en/latest/howto/config.html#accepted-time-diff) in seconds | `int` or `None` | `None` | | | **ALLOWED\_REDIRECT\_HOSTS** | Allowed hosts to redirect to using the `?next=` parameter | `list` | `[]` | `['https://app.example.com', 'https://api.exmaple.com']` | | **DISABLE\_EXCEPTION\_HANDLER** | Set this to `True` if you want to disable the exception handler. Make sure to handle the `SAMLAuthError`s and other exceptions. | `bool` | `False` | | diff --git a/django_saml2_auth/saml.py b/django_saml2_auth/saml.py index 62cf61b..9bca5b5 100644 --- a/django_saml2_auth/saml.py +++ b/django_saml2_auth/saml.py @@ -238,6 +238,7 @@ def get_saml_client( "want_response_signed": dictor( saml2_auth_settings, "WANT_RESPONSE_SIGNED", default=True ), + "force_authn": dictor(saml2_auth_settings, "FORCE_AUTHN", default=False), }, }, }