The client is keeping the authenticated assertion inside the session by default, and it will initiate it if there isn't one. So long that session is valid, the request will not go out. You'll either need to kill the idp session via a local logout endpoint, adjust it at the container level as you have...or try to set the useSession=false with the client and see what happens.
I would also suggest that you set your session storage timeout with the idp to a super small value. -----Original Message----- From: Ted Fisher [mailto:tffi...@bgsu.edu] Sent: Thursday, August 7, 2014 1:20 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS integration with Shibboleth IDP I did trace this with SAML tracer which is how I could see when the IDP was redirecting back to CAS or not. By adjusting the Tomcat session timeout for the IDP this is working as it should. I didn't realize that the CAS client in the IDP would retain the auth info for the next auth request. Since we want the IDP to refer back to CAS for the SSO session I just set the IDP session short and now it is redirecting to CAS as expected. Thanks. Ted F. Fisher Information Technology Services -----Original Message----- From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: Thursday, August 07, 2014 3:35 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS integration with Shibboleth IDP > I only want the IDP to get a new ST at each auth, which is what is not > happening. You should provide some evidence to that effect. A browser request trace would show the important interactions. > I think the key here - pointed out by Tom - is that the CAS client is > maintaining a session similar to an SP. The only CAS client in your scenario is the IdP. If you have disabled the SSO support in the IdP along the lines of the wiki page I cited, then you ought to get an ST for every relying party that interacts with the IdP. M -- You are currently subscribed to cas-user@lists.jasig.org as: tffi...@bgsu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
