When an authenticated user attempts to access an application that is using SAML authentication and ForceAuthn=true, the user is receiving a new session, but only a negative assertion is generated (a negative assertion is essentially an error message that gets posted to the Service Provider's Assertion Consumer Service URL).

All

The user is authenticating to a different user store than the original session authenticated against, therefore this is considered a different user.  Identity swaps are not allowed when ForceAuthn=true and thus Federated Web Services (FWS) does not allow an assertion to be generated.

Users must reauthenticate to the same user store as their original session when ForceAuthn=true.