...
In any event, use of this feature when using the Shibboleth SP has two components:
Including the
ForceAuthnflag in requests.Enforcing its use while processing assertions.
The first is obvious, but the second is required because most SPs don't sign their requests and even if they did, the Shibboleth SP does not implement request/response correlation such that the signature would matter.
...
The second half of the process is something the SP supports at a global "application" level by adding a maxTimeSinceAuthn property to the <Sessions> element in the configuration, which is measured in seconds. This is enforced automatically, but is again global. For more dynamic content-driven scenarios, it's left to applications to enforce this in code (to which end the authentication timestamp is provided to applications via the "Shib-Authentication-Instant" variable).
...