Add force_authn sp configuration option

If the value is truthy, "true" is given as the ForceAuthn value. The
value is derived from the 'force_authn' keyword argument as passed to
'create_authn_request()' method otherwise it fallbacks to the
configuration value.

4 files changed, 32 insertions, 1 deletions

diff --git a/src/saml2/client_base.py b/src/saml2/client_base.py
index f740cb07..a5957f1d 100644
--- a/src/saml2/client_base.py
+++ b/src/saml2/client_base.py
@@ -335,6 +335,14 @@ class Base(Entity):
         except KeyError:
             nsprefix = None
 
+        try:
+            force_authn = kwargs['force_authn']
+        except KeyError:
+            force_authn = self.config.getattr('force_authn', 'sp')
+        finally:
+            if force_authn:
+                args['force_authn'] = 'true'
+
         if kwargs:
             _args, extensions = self._filter_args(AuthnRequest(), extensions,
                                                   **kwargs)
diff --git a/src/saml2/config.py b/src/saml2/config.py
index 50d61c57..df567117 100644
--- a/src/saml2/config.py
+++ b/src/saml2/config.py
@@ -75,7 +75,8 @@ SP_ARGS = [
     "name_id_format",
     "name_id_format_allow_create",
     "logout_requests_signed",
-    "requested_attribute_name_format"
+    "requested_attribute_name_format",
+    "force_authn",
 ]
 
 AA_IDP_ARGS = [
diff --git a/tests/test_31_config.py b/tests/test_31_config.py
index 623c944f..eb8480c6 100644
--- a/tests/test_31_config.py
+++ b/tests/test_31_config.py
@@ -68,6 +68,7 @@ sp2 = {
             },
             "authn_requests_signed": True,
             "logout_requests_signed": True,
+            "force_authn": True,
         }
     },
     #"xmlsec_binary" : "/opt/local/bin/xmlsec1",
@@ -408,5 +409,15 @@ def test_crypto_backend():
     sec = security_context(idpc)
     assert isinstance(sec.crypto, CryptoBackendXMLSecurity)
 
+def test_unset_force_authn():
+    cnf = SPConfig().load(sp1)
+    assert bool(cnf.getattr('force_authn', 'sp')) == False
+
+
+def test_set_force_authn():
+    cnf = SPConfig().load(sp2)
+    assert bool(cnf.getattr('force_authn', 'sp')) == True
+
+
 if __name__ == "__main__":
     test_crypto_backend()
diff --git a/tests/test_51_client.py b/tests/test_51_client.py
index 1806de41..937e0e20 100644
--- a/tests/test_51_client.py
+++ b/tests/test_51_client.py
@@ -280,6 +280,17 @@ class TestClient:
         assert nid_policy.allow_create == "false"
         assert nid_policy.format == saml.NAMEID_FORMAT_TRANSIENT
 
+    def test_create_auth_request_unset_force_authn(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso", sign=False, message_id="id1")
+        assert bool(req.force_authn) == False
+
+    def test_create_auth_request_set_force_authn(self):
+        req_id, req = self.client.create_authn_request(
+            "http://www.example.com/sso", sign=False, message_id="id1",
+            force_authn="true")
+        assert bool(req.force_authn) == True
+
     def test_create_auth_request_nameid_policy_allow_create(self):
         conf = config.SPConfig()
         conf.load_file("sp_conf_nameidpolicy")