I'll ask this question here to see if those familiar with CAS and Shibboleth itegration can shed some light. I asked this in the Shib forum which resulted in less clarity.
We have our Shibboleth IDP using CAS as the only login handler resulting in CAS being the manager of the SSO session and Shibboleth being simply a pasthrough for SAML. Since the Shibboleth IDP does not maintain an SSO session it should redirect to CAS for each auth request to get a new Service Ticket. But, our IDP is not. After an initial ST it does not redirect to CAS but continues to send SAML responses to auth requests. This indicates that something somewhere is keeping a sense of a session - I would think in the IDP. When I asked the question in the Shibboloeth forum and I said that the IDP should go to CAS for a new ST for each auth request I got this response: No, it shouldn't. Unless you turn off the CAS client's use of a local session, assuming that's possible. Or I guess set the timeout very low. That session is most likely the container's business, in which case that's where you need to adjust the timeout. So, first question is does the CAS client keep some sense of a session that would cause the IDP to handle an auth request without redirecting to CAS for a new ST? The other or alternate question is how do we cause the IDP to redirect to the CAS server for a new ST for each auth? If we want CAS to be the maintainer of the SSO session then there is no other way for the IDP to determine if the user has a valid session other than to get a new ST. Am I right? Is there a reason why it should not work this way? Thanks. Ted F. Fisher Information Technology Services [Description: BGSU] -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
