IAM in Service Catalog
After a user is authenticated by the UW Identity Provider (IdP), they may be able to access other Shibboleth-protected applications without having to logon again for up to 12 hours. This SSO capability is one of the primary benefits of integrating a web application with Shibboleth. In some cases, however, an application may wish to force users to re-authenticate even if they present a valid session cookie. This is sometimes done for sensitive applications that want to reduce the risk of a valid user session at an unattended computer being used by another person to access data inappropriately.
Before configuring 2FA on a service provider, please ensure all users meet the current eligibility requirements as outlined in the 2FA FAQ.
Forced re-authentication is configured in the
shibboleth2.xml file. Where you make the changes within this file depend on how you've configured session initiation for your application.