Which URL do I need to get to in order to log out?

I am using omniauth-saml with devise. This is how my routes.rb look:

constraints(subdomain: /.+/) do
    devise_for :users, path_names: {sign_in: 'auth/saml', sign_out: 'auth/saml/logout'},
                       controllers: {omniauth_callbacks: 'auth/omniauth_callbacks'}
    get '/users/auth/:provider/setup' => 'auth/saml#setup'
    get '/' => 'dashboard#index'
  end

But, when I go to https://xyz.mysite.dev/users/auth/saml/logout I get No route matches [GET] "/users/auth/saml/logout"

I have made this modification in devise.rb initializer:

config.sign_out_via = :get

Times that are generated using ruby-saml include a time-zone component (always Z), but by my reading of SAMLCore this is prohibited in section 1.3.3 - Time Values:

"All SAML time values have the type xs:dateTime, which is built in to the W3C XML Schema Datatypes
312 specification [Schema2], and MUST be expressed in UTC form, with no time zone component." (emphasis mine)

Do people disagree with my interpretation of this - it seems pretty clear to me...

I'm looking into implementing this as a PR, but my subject-matter expertise in XPATH is lacking. It would be great if we could construct a OneLogin::RubySaml::Settings object based on an IdP's descriptor XML.

The test xml_security_test.rb contains no assertions. I added an assertion for validate_doc as follows on line 13:

  assert @document.validate_doc(base64cert, nil)

And I receive the following error. I am running Ruby 1.8.7 P330. I forked and commited the change to git://github.com/ekolve/ruby-saml.git

1) Failure:
test: XmlSecurity should should provide getters and settings. (XmlSecurityTest)
[./test/xml_security_test.rb:13:in `__bind_1296505308_249038'
 /usr/lib/ruby/gems/1.8/gems/shoulda-2.11.3/lib/shoulda/context.rb:382:in `call'
 /usr/lib/ruby/gems/1.8/gems/shoulda-2.11.3/lib/shoulda/context.rb:382:in `test: XmlSecurity should should provide getters and settings. '
 /usr/lib/ruby/gems/1.8/gems/mocha-0.9.10/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:22:in `__send__'
 /usr/lib/ruby/gems/1.8/gems/mocha-0.9.10/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:22:in `run']:
<false> is not true.

I just print the result of @document.validate_doc(...) in xml_security_test.rb, however the result is "false".
So is the signature verification failed or there is something wrong with the test request?

Code in xml_security_test.rb:
should "should run validate without throwing NS related exceptions" do
base64cert = @document.elements["//ds:X509Certificate"].text
puts @document.validate_doc(base64cert, nil)
end

Simple change in Service Provider Metadata section:

render :xml => meta.create(settings)

should read

render :xml => meta.generate(settings)

So each build that's triggered through travis is failing consistently at the minute, due to a loose dependency on the shoulda-matchers gem. (An example failure output: https://travis-ci.org/onelogin/ruby-saml/jobs/7745319 )

Basically, it's failing due to the latest shoulda-matchers gem now requiring 1.9.2, and ruby-saml just depending on the latest shoulda-matchers gem blindly. Couple that to travis being set to test on 1.8.7 and ree (which is also 1.8.7 compatible), and 2/3 of the ruby versions tested fail during gem installation. Not ideal!

The way I see it there's a couple of solutions. We could stop testing on 1.8.7 rubies, as it's end of life even for security fixes this month, June 2013. Or we could tighten the dependency on shoulda-matchers version so it still installs under 1.8.7 rubies.

Personally, I think I'd rather see 1.8.7 dropped from being tested against as it's EOL, and add ruby 2.0.0 in there instead. And on that note, I can see there's a pull request (#82) to add jruby & ruby 2.0.0 support, which drops 1.8.7 from being tested. Merging that would solve this issue!

Hi there, firstly thank you so much for creating this gem! I know I'd be up the river without it! :)

I'm trying to implement the New Zealand Ministry of Education's SSO requirements for my rails app. They are using SAML2 and provide limited support to third parties when it comes to getting it set up. I've gotten to this point with them and can't see a way to generate this information for him using ruby-saml:

I still need you to give me your SP metadata for your locally running SP end point. How that is created must be a feature of the software libraries you are using, so you need to contact the developers of it to get assistance with that part. Once you have this information, I can import it into the idp.catalyst.net.nz test IdP, and ensure that the communication is functioning correctly.

Any help on the matter would be much appreciated :)

Build is failing for 1.8.7 and ree due to an update to rake, requiring ruby 1.9 and up as of 2014-03-24. See https://github.com/jimweirich/rake/blob/master/History.rdoc

ruby-saml will need to require rake 10.1 or lower instead of just 10, or as referenced in #91, drop support for 1.8.7. I tend to agree with @caius regarding dropping 1.8.7 support since it reached EOL in June, 2013.

We would like to return the attribute values as an array where there is more than one field in an array.

This is similar to #112 but is not identical. That request is dealing with multiple nodes with the same name, whereas this is one node with multiple values.

Do you have any plans to support logout requests?

I've been trying to integrate ruby-saml with a rails project of mine, but I need to be able to support a Single Logout scenario which, as far as I could see, the library still doesn't support.

I'm referring to a scenario in which a rails project using ruby-saml initiates an IDP session, which is then used by another SP. After a while, this second SP tries to initiate the log out procedure. According to the ruby-saml protocol, the IDP will have to send a LogoutRequest to every single SP currently logged in, except the one that initiated the Logout procedure (the rails project). This means that our ruby-saml rails application will receive a LogoutRequest and it will have to be able to send back a LogoutResponse, before the IDP actually logs out and sends back a Logout Response to the initial SP.

Is there any way to send a LogoutResponse in the current version of this library?
I've checked calh's fork and this is possible on that version, which is the reason why I'm using it currently. I've noticed that some of his code was added to this library, but I don't think that functionality is present yet, but I could be mistaken.

Thanks for your work. ;)

response.is_valid? eventually invokes XMLSecurity::SignedDocument::validate_doc; validate_doc removes the signature and other information from the response documents, so subsequent validate invocations fail with an error similar to:

NoMethodError (undefined method `text' for nil:NilClass):

XXE attacks: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

The ruby-saml uses Nokogiri at lib/xml_security.rb , 74

Read about this Nokogiri vulnerability issue:
sparklemotion/nokogiri#693

This is more of a general question on how you would handle POST binding to the provider with ruby-saml. I see in the docs the Redirect binding is clearly supported and documented:

def init
  request = OneLogin::RubySaml::Authrequest.new
  redirect_to(request.create(saml_settings))
end

I have a need to support the POST binding support and have written some code to do that. There is not anything to currently do this in this lib right?

We are trying to use your library to auth with ADFS2 server and validation permanent fails with digest mismatch.

Commited 5 day ago "Fixing XMLSecurity so it works with the StarfieldTMS IdP" by bundacia haven't resolved this issue.

We are trying to run tests and they are failing. Using jruby 1.7.0 (1.9.3p203)

A SAML provider is telling us we must add

ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'

in the root of the AuthnRequest. We work with a bunch of providers that do not require this, but this one is telling us they require it. I can see how I would go about adding that into the gem, so I'd be glad to do that and issue a pull request. Before I do that, I just wanted to ask if this is considered a valid SAML requirement, and if it's something you'd consider merging.

Nokogiri in JRuby does not appear to support canonicalization (sparklemotion/nokogiri#226) properly such that it will create a digest mismatch. It doesn't appear there will be a fix immediately either since there hasn't been any action taken for 4 months.

Unfortunately, the only work around would be to do a "soft" validation or explicitly remove the digest check in JRuby. :-(

See https://github.com/onelogin/ruby-saml/blob/master/lib/xml_security.rb#L92-L106

Hi,

Thank you for your development of ruby-saml.
I am using your product in my code rack-saml and it is basically released through RubyGems.
Currently, I have an issue that I can not use Onelogin::Saml::Metadata in RubyGems version of ruby-saml 4.7.

toyokazu/rack-saml#2

If possible, could you release ruby-saml 4.8 with onelogin/saml/metadata.rb.

Best Regards

I'm receiving the following:

<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>
<ds:DigestValue>VixjWsKWEdVCCfEJaAjYRNpORKxPSUx1lHUOyoPbl7M=</ds:DigestValue>

this doesn't pass in method validate_doc as the hash calculated in that method assumes the method is always SHA1.

The following private function creates an issue parsing SAML XML that represents multi-valued fields.

      def xpath_first_from_signed_assertion(subelt=nil)
        node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
        node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
        node
      end

When the SAML looks like the XML below, you will only see "A" in the ruby hash, and never see the B and C values.

Need to provide a means of XML node access that doesn't use the .first idiom.

REXML::XPath.first

<saml:Attribute FriendlyName="CustomParamArray"
                Name="CustomParamArray"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">A</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">B</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">C</saml:AttributeValue>
</saml:Attribute>

Why not make available OneLogin::Saml?

While trying to validate a SAML Response I received the following error:
/usr/lib/ruby/gems/1.8/gems/ruby-saml-0.2.1/lib/xml_sec.rb:55:in validate_doc': uninitialized constant XMLSecurity::SignedDocument::XPath (NameError) from /usr/lib/ruby/gems/1.8/gems/ruby-saml-0.2.1/lib/xml_sec.rb:48:invalidate'
from /usr/lib/ruby/gems/1.8/gems/ruby-saml-0.2.1/lib/onelogin/saml/response.rb:21:in `is_valid?'

I'm running Ruby 1.8.7 p302 with ruby-saml 0.2.1. What seemed to fix this was when I prepended all instances of 'XPath' with 'REXML::'.

As far as I can tell it currently isn't possible to set AttributeConsumingServiceIndex=some_value for an AuthnRequest, as I only see a mention of AttributeConsumingServiceIndex in the saml20protocol_schema.xsd.

I guess this could be implemented in a manner similar to IsPassive in 8a825f3 or #92 ?

I've been trying to get this version of the plugin working with Ping Identity's Ping Federate locally (we are currently running an older version of this plugin which worked fine, and need to upgrade to support another integration) - however this latest version seems to be incompatible.

The problems seem to be all happening in XmlSecurity - Firstly, I had to change:

base64_cert = self.elements["//ds:X509Certificate"].text  #line 47 

to

base64_cert = REXML::XPath.first(self, "//ds:X509Certificate").text #line 47 

As REXML was having trouble with the XML which was generated - this got the document created correctly and doesn't change the meaning of the code overmuch.

Howevever, the primary problem now is that the digest_hash doesn't match the calculated hash value of the SAML Response. I think that this might be because attributes are being used, and it could be related to the previously reported issue #16.

The digest method and canonicalization method are unchanged, the digests simply just don't match up. I'm looking further into the problem just now to see if there's a way around this - has anyone encountered a similar problem?

I send to SSO provider a param, and want the provider send the param without any modifiion, how could I do that? will RelayState be a option?

RubyGems.org doesn't report a license for your gem. This is because it is not specified in the gemspec of your last release.

via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

Including a license in your gemspec is an easy way for rubygems.org and other tools to check how your gem is licensed. As you can imagine, scanning your repository for a LICENSE file or parsing the README, and then attempting to identify the license or licenses is much more difficult and more error prone. So, even for projects that already specify a license, including a license in your gemspec is a good practice. See, for example, how rubygems.org uses the gemspec to display the rails gem license.

There is even a License Finder gem to help companies/individuals ensure all gems they use meet their licensing needs. This tool depends on license information being available in the gemspec. This is an important enough issue that even Bundler now generates gems with a default 'MIT' license.

I hope you'll consider specifying a license in your gemspec. If not, please just close the issue with a nice message. In either case, I'll follow up. Thanks for your time!

Appendix:

If you need help choosing a license (sorry, I haven't checked your readme or looked for a license file), GitHub has created a license picker tool. Code without a license specified defaults to 'All rights reserved'-- denying others all rights to use of the code.
Here's a list of the license names I've found and their frequencies

p.s. In case you're wondering how I found you and why I made this issue, it's because I'm collecting stats on gems (I was originally looking for download data) and decided to collect license metadata,too, and make issues for gemspecs not specifying a license as a public service :). See the previous link or my blog post about this project for more information.

Exclusive XML Canonicalization 1.0 (exc_c14n) is not supported. See: http://www.w3.org/TR/xml-exc-c14n/

Unfortunately, I have not found any ruby library that supports Exclusive XML Canonicalization. However, the libxml2 package does have some (not very well documented) support for exc_c14n. Unfortunately, (again) libxml2-ruby doesn't expose exc_c14n in its canonicalize method.

As a first step I would prefer that an exception is raised (instead of the current silent ignore) for Assertions that include InclusiveNamespaces with PrefixList.

The best solution might be to add exc_c14n to libxml2-ruby and then switch to using libxml2-ruby instead of canonix.

Hi,

the answer I get from the (Shibboleth) SAML 2 IdP I'm talking to is completely encoded and wrapped in a saml2:EncryptedAssertion element containing a certificate and two ciphers. Ruby-saml doesn't know how to handle this yet and I have not yet found out, how to handle it either.

Is anybody of you familiar with this type of response and perhaps already working on adding this to ruby-saml?

Also, any pointers are much appreciated so I can add it on my own.

Best,
Chris

Hi there,

I'm getting mis-matched hashes when trying to verify a signature generated with a simplesamlphp server that we're trying to integrate with. We have no access to that server, so can't debug from that end. Essentially the hashes don't match up at the end of the code segment below. I've checked and the incoming XML specify's that their hash was generated with SHA1. I'm wondering if anyone could give me some pointers on how to troubleshoot this kind of problem? Obviously there must be a difference in the canonicalised markup on each side.

  REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |

    uri                   = ref.attributes.get_attribute("URI").value
    hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
    canoner               = XML::Util::XmlCanonicalizer.new(false, true)
    canon_hashed_element  = canoner.canonicalize(hashed_element)
    hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
    digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text

    valid_flag            = hash == digest_value

    return valid_flag if !valid_flag
  end

The root element should carry the namespace definition.
For example the following authnrequest created by the toolkit:

<samlp:AuthnRequest ID='_c73ac510-1a71-0132-27c0-0090f5dedd77'
                    Version='2.0'
                    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'                    
                    AssertionConsumerServiceURL='http://rubysaml.com:3000/saml/acs'
                    Destination='https://app.onelogin.com/trust/saml2/http-post/sso/396421'
                    IssueInstant='2014-09-09T17:08:01Z'>
    <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>         http://rubysaml.com:3000/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate='true' 
                        Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'         
                        xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' />
</samlp:AuthnRequest>

should be

<samlp:AuthnRequest ID='_c73ac510-1a71-0132-27c0-0090f5dedd77'
                    Version='2.0'
                    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'
                    xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'
                    AssertionConsumerServiceURL='http://rubysaml.com:3000/saml/acs'
                    Destination='https://app.onelogin.com/trust/saml2/http-post/sso/396421'
                    IssueInstant='2014-09-09T17:08:01Z'>
    <saml:Issuer>http://rubysaml.com:3000/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate='true' 
                        Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' />
</samlp:AuthnRequest>

XEE attacks details:
https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

Use entity_expansion_limit

https://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8080

Note: I am using canonix for xml canonicalization.

When I have attributes enabled for a service provider validation fails in Ruby-SAML when validating the SAML response. I have tested using SimpleSAML as an SP to connect to my SimpleSAML IdP and validation is successful, as it is with every other service provider I have enabled. The only one that is failing is the Ruby app using Ruby SAML.

Admittedly I don't know too much about PHP so it is somewhat difficult to track down what is causing the issue. I'm just hoping that perhaps someone else has ran into this same issue and has some insight as to what is going on and may have a suggestion for either a fix or a potential work around.

Authentication between an ADFS v2 server and ruby-saml seems to cause problems when there is a slight difference in server time. If the ADFS server's time is a bit ahead, the NotBefore field of the signature appears in the future to ruby-saml and is thus invalid.
This should probably ideally be fixed in some ADFS settings, but they are not very obvious/hard to find. To prevent issues like these where a 1 second time difference can already cause problems, a solution may be to embed a NotBeforeSkew (optional or maybe even by default of a couple of minutes), which allows the NotBefore time to be a bit the future?

What do you think?

It appears that the xmlcanonicalizer gem that is depended upon by ruby-saml has a fairly serious bug that makes it impossible to verify some XML message digests. The team at relevance have fixed the problem in a fork and submitted a patch but it appears that the gem maintainer isn't interested in maintaining this gem anymore.

What does everyone think about creating a new xml canonicalising gem for ruby-saml to depend upon? Perhaps onelogin could host this?

The proposed patch is here: andrewferk/xmlcanonicalizer#1

I've tested it and it works well at least for my use case.

Relevance have also made a lot of improvements to the ruby-saml gem which would probably be worthwhile integrating into the master branch. On first ask, they appear to be open to the idea of pushing these up.

Spent a few hours fiddling before figuring this out. On rails 2 this is pretty catastrophic and causes very weird issues. Name the action 'init' or 'start' or really anything but the class constructor method name.

Sorry, this is re-post from closed issue #27

Thank you for your update from 0.4.7 to 0.5.1!

With the new version 0.5.1, when I use Onelogin::Saml::Metadata, I've got the following error

LoadError (cannot load such file -- onelogin/saml/validation_error):

I guess that it is caused by the require method in xml_security.rb.

% vi lib/xml_security.rb
require "onelogin/saml/validation_error"

It should be "onelogin/ruby-saml/validation_error" for the new source tree, right?

I need to write a SAML Identity Provider (IdP) in Ruby. Can I do that with this Gem?

Logout Request has different time format than Auth Request.

Would appreciate info which one is correct. Thanks :)

The new 1.5 enforcement causes bundle to choose 1.5 now, when it had been using 1.6 for quite some time. Can you put the >= 1.5 back and if a constant is required, use a different solution to find it?

When attempting to process a saml response that is not us-ascii, the internal regex expressions of the ruby-saml gem throw out "incompatible encoding regexp match (US-ASCII regexp with UTF-16BE string)".

I have been trying for days to get this to work with AD FS 2.0. No matter what I do the request sent to AD shows the following..

<samlp:AuthnRequest AssertionConsumerServiceURL='https://test.mindsmesh.com:3000/users/auth/saml/callback' Destination='https://dc2012mm.mindsmesh.com/adfs/ls/IdpInitiatedSignon.aspx' ID='_4b0607d0-a553-0130-0f40-2820663a1040' IssueInstant='2013-05-22T21:20:04Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://dc2012mm.mindsmesh.com/adfs/services/trust/saml:Issuer<samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/>/samlp:AuthnRequest

However AD always sees the NameIDPolicy as null. I think onelogin is forming the SAML request wrong.

should be

<samlp:NameIDPolicy xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' />

Thoughts?

Chad

I had this problem with two different providers. In def validate:

base64_cert = self.elements["//ds:X509Certificate"].text

returned an error because the ds:X509Certificate node was nil.

I changed it to

base64_cert = REXML::XPath.first(self, "//ds:X509Certificate", {"ds"=>DSIG}).text

and it was able to find the node and return the proper text.

Is there any way to generate a signed request?

I see there was one pull request to add support for signed requests which was rejected for other reasons.

Is the namespaces parameter {'ds' => DSIG} left intentionally out of:

REXML::XPath.first(ref, "//ds:DigestMethod")

at: https://github.com/onelogin/ruby-saml/blob/805428ce4b9bdf5dae6ebd58c0176bf70caa73ea/lib/xml_security.rb#L99

I'm experiencing SHA1 being chosen instead of SHA256 with the following in an assertion that is apparently from ADFS2.0:

<DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>

Hi,

I am trying to use ruby-saml with a custom OmniAuth Strategy. I am using version 0.7.2
In my heroku logs I see

NoMethodError (undefined method `text' for nil:NilClass):

Below is what my OmniAuth callback phase looks like. The failure seems to be around the response.validate! call. Any thoughts on why this is happening? Problem in my code or in ruby-saml? I know I can receive the SAML response if I comment out that

response.validate! 

call. But I am trying to understand the validate method. And specifically what steps I need to take to ensure the SAML assertion my application is receiving is properly signed and trustworthy.

      def callback_phase
        unless request.params['SAMLResponse']
          raise OmniAuth::Strategies::Company::ValidationError.new("SAML response missing")
        end

        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
        response.settings = Onelogin::Saml::Settings.new(options)
        @name_id = response.name_id
        @attributes = response.attributes

        if @name_id.nil? || @name_id.empty?
          raise OmniAuth::Strategies::Company::ValidationError.new("SAML response missing 'name_id'")
        end
        response.validate!
        super
      rescue OmniAuth::Strategies::Company::ValidationError
        fail!(:invalid_ticket, $!)
      rescue Onelogin::Saml::ValidationError
        fail!(:invalid_ticket, $!)
      end

      uid { @name_id }
      info do
        {
            :company_id  => @attributes[:"CORP ID"],
            :name  => @attributes[:"Given Name"],
            :email  => @attributes[:"Email Address"],
            :account_type  => @attributes[:"Account Type"],
        }
      end

If the core team at OneLogin is too busy, would you guys be ok with handing moderatorship to another contributor? The speed of PR acceptance is a bit slow and I know much of the community would benefit from including many of the open PRs.

The page at https://onelogin.zendesk.com/entries/165434-saml-toolkit-for-ruby-on-rails refers to a /samples folder in this repo which I can't see. Would love to have that to get started with my SAML 2.0 integration.

Richard.

Seems like this gem used to handle encrypted responses but got dropped along the way.

Any change it will come back or am I overlooking something? This version is validating the response way better than the old version, a combination of those too seems solid.

As far as I can tell it currently isn't possible to set ForceAuthn=true for an AuthnRequest, as I only see a mention of ForceAuthn in the saml20protocol_schema.xsd.

I guess this could be implemented in a manner similar to IsPassive in 8a825f3 ?