# SAML ForceAuthn

For users with SAML integrations, the Clerk dashboard now supports configuring the `ForceAuthn` on a per-connection basis.

This is especially important on shared or multi-user devices where a previous user may still have an active SSO session at the Identity Provider (IdP). When `ForceAuthn` is enabled, Clerk includes the `ForceAuthn=true` parameter on the SAML AuthnRequest so the IdP will ignore any existing SSO session and require the user to re‑authenticate (password, MFA, etc.). This prevents the next person on the same machine from silently inheriting access due to someone else’s logged-in IdP session.

### Expectations

Existing SAML connections are unchanged—`ForceAuthn` remains off by default to preserve current sign‑in behavior. If you enable it, users will be prompted to re‑authenticate at the IdP on every SSO sign‑in for that connection.

### How to enable

In the Clerk Dashboard, navigate to the [SSO Connections](https://dashboard.clerk.com/~/user-authentication/sso-connections) page

1. Select your SAML connection
2. Select the `Advanced` tab
3. Enable _Force authentication_
4. Save