> I only want the IDP to get a new ST at each auth, which is what is not > happening.
You should provide some evidence to that effect. A browser request trace would show the important interactions. > I think the key here - pointed out by Tom - is that the CAS client is > maintaining a session similar to an SP. The only CAS client in your scenario is the IdP. If you have disabled the SSO support in the IdP along the lines of the wiki page I cited, then you ought to get an ST for every relying party that interacts with the IdP. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user