I have a requirement where our users need to reauthenticate with their saml2 external identity provider everytime they log into our angular application. We are using the classic engine.
Expected workflow:
- user1 goes to our application
- presses single sign on button
- navigated to okta site
- user1 enters email
- okta routes to identity provider via routing rules based on email
- user1 logs into identity provider
- user1 is redirected to application and logged in
- user1 logs out of application
- user2 repeats steps 1-8 on same device / browser
we’re experiencing when user2 is routed to the identity provider, user1’s session is still active so user2 is not given the change to login and they are instead redirected back to our application and logged in as user1.
I have attempted several methods without success:
- create a policy at Security → Authentication → Sign On tab that sets maximum session lifetime and maximum session idle to their lowest value of 1 minute
- create a policy at Applications → Applications → MyApp → Sign On tab where ‘Prompt for re-authentication’ is checked and set to its lowest value of 1 minute
- append uri parameters to individual identity provider uri strings at Security → Identity Providers → MyProvider → Actions → Configure Identity Provider. append ‘?prompt=login’ or ‘ForceAuthn=true’ or ‘?max_age=0’ to the "IdP Single Sign-On URL and “Destination”
- within our angular application, attempt to add the ‘prompt=login’ or ‘ForceAuthn=true’ or ‘maxAge=0’ parameters to our token.getWithRedirect call, tried signInWithRedirect with the added params, attempted to add them to our OktaAuth object.
- within our angular application, whenever the user logs out of our application, a clearsession call is sent and tokenmanager.clear is also called. have also tried calling signout
any insight or suggestions would be greatly appreciated.