Just a clarifying note... We have been talking back and forth about
caching of credentials and prompting of the user that I thought I would
walk through the authentication process discussing what an IdP might do
User has an estabilshed session at the IdP (started via an
authentication event at the IdP) and browses to an SP. The SP submits
an AuthnRequest to the IdP to initiate SSO on behalf of the user. At
this point the IdP may:
a) use the established session information to enable
SSO with the SP.
b) authenticate the user using the appropriate means required
for the authentication context requested by the SP.
c) return failure for any of a number of reasons.
The IdP chooses which of these it will perform based upon a number of
factors including the parameters of the request from the SP, the general
policies at the IdP and, potentially, the user preferences about SSO at
the IdP. For example, the IdP would likely perform (b) if the
ForceAuthn flag is set on the request or if the Authn that initiated the
session is old enough that IdP policies require a reauthentication.
Note that (a) is not permitted, IMHO, if ForceAuthn is set since (a)
does NOT involve an invocation of the authentication process, but rather
the IdP re-reading some of its session information and that, IMHO, is
not a re-authentication.. However, (b) may involve authantication
interactions with the user's client that are invisible to the user.