From 258344eb855c4ae8d356b95f633c3c7a222ba1a4 Mon Sep 17 00:00:00 2001
From: Dustin Decker <sevoma@gmail.com>
Date: Tue, 26 Sep 2017 11:17:22 -0500
Subject: [PATCH] expose ForceAuthn

---
 samlsp/samlsp.go    | 2 ++
 service_provider.go | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/samlsp/samlsp.go b/samlsp/samlsp.go
index cca6a23b..ce1f661a 100644
--- a/samlsp/samlsp.go
+++ b/samlsp/samlsp.go
@@ -27,6 +27,7 @@ type Options struct {
 	IDPMetadataURL    *url.URL
 	HTTPClient        *http.Client
 	CookieMaxAge      time.Duration
+	ForceAuthn        bool
 }
 
 // New creates a new Middleware
@@ -54,6 +55,7 @@ func New(opts Options) (*Middleware, error) {
 			MetadataURL: metadataURL,
 			AcsURL:      acsURL,
 			IDPMetadata: opts.IDPMetadata,
+			ForceAuthn:  &opts.ForceAuthn,
 		},
 		AllowIDPInitiated: opts.AllowIDPInitiated,
 		CookieName:        defaultCookieName,
diff --git a/service_provider.go b/service_provider.go
index c0704510..151ff338 100644
--- a/service_provider.go
+++ b/service_provider.go
@@ -76,6 +76,10 @@ type ServiceProvider struct {
 
 	// Logger is used to log messages for example in the event of errors
 	Logger logger.Interface
+
+	// ForceAuthn allows you to force re-authentication of users even if the user
+	// has a SSO session at the IdP.
+	ForceAuthn *bool
 }
 
 // MaxIssueDelay is the longest allowed time between when a SAML assertion is
@@ -274,6 +278,7 @@ func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string) (*AuthnReque
 			// urn:oasis:names:tc:SAML:2.0:nameid-format:transient
 			Format: &nameIDFormat,
 		},
+		ForceAuthn: sp.ForceAuthn,
 	}
 	return &req, nil
 }