Conditionally force login with SAML connections

Problem Statement

We have a SAML connection that we would like to force the user to enter credentials at the upstream IdP, but only when required and not all the time. How do we accomplish this?

Symptoms

Would like to know if it is possible to conditionally set ForceAuthn=true in the SAML Request.

Cause

May need this due to regulatory reasons or other business-specific use cases.

Solution

Currently, it is not possible to conditionally set ForceAuthn=true in the SAML AuthnRequest today. If you set it in the template, it will apply to the whole connection. There is an option to implement it this way, but be aware that the users will be prompted to log in each time they go to the upstream IdP. The users can still silently renew the tokens using the existing Auth0 session.