UK Access Management Federation
for Education and Research
The UK federation is operated by Jisc and provides a single solution to accessing online resources and services for education and research. Here is some information on how it works and its benefits.
Eligible organisations are invited to join the current membership.
Latest news
ForceAuthn Issues
Posted on Monday, 19 April 2021
When doing a SAML authentication loop, a Service can set a ForceAuthn flag which demands that the Identity Provider "MUST authenticate the presenter directly rather than rely on a previous security context" which should be interpreted along the lines of "must reauthenticate the user" or "must prove user presence" and that assuming a current (cookie authenticated) session is not acceptable.
This is known to cause issues in some use-cases, for example where IdP operators are using the RemoteUser authentication flow in Shibboleth IdP rather than the default Password flow. While there are ways to work around this issue by updating the IdP configuration, this can render the IdP non-compliant.
The RemoteUser flow is often used to delegate the authentication step to another IdP (usually ADFS or Azure). Shibboleth Identity Provider v4 introduced support for SAML Proxying which supports this workflow natively, without needing the RemoteUser call-out, and as such, supports the ForceAuthn flag correctly.
If your IdP is using the RemoteUser flow in this way then, to ensure compliance with the relevant specifications, our strong recommendation is that you consider moving to the native SAML Proxying functionality when you've upgraded to v4.
See also:
Programme to strengthen XML encryption in the UK federation kicks off on 23 February
Posted on Tuesday, 16 February 2021
Please find below, the text of an email sent to the Jisc-shibboleth mailing list earlier today, which outlines the plans for how the UK federation will raise the strength of XML encryption across the UK federation.