There are probably a bunch of other problems associated with this idea, but couldn't you just serve the CAS service from 2 distinct domains? E.g. cas.example.net and cas.special.example.net? Since the TGT is scoped to a particular domain, if you point A's CAS client to the special domain, it should act like its own unique CAS instance.
Thanks, Carl Waldbieser ITS Identity Management Lafayette College ----- Original Message ----- From: "Andy Ng" <long...@gmail.com> To: "cas-user" <cas-user@apereo.org> Sent: Wednesday, April 25, 2018 5:20:01 AM Subject: [cas-user] [SSO] Is it possible to make a service completely separated from other SSO services without require login every time (i.e. renew=true) Hi all, So I have done some research on this group and still doesn't find other with my use case, so I am asking for your help. Assume we have services A, B, C and D: B, C, D are normal SSO services, each one of them authenticate success, all BCD will login success. As for A, I want that even when BCD is authenticated, user still needs to authenticate once more before getting to A. At this point, theoretically all can be solved by* "renew=true"*. And the new *createSsoCookieOnRenewAuthn = false on 5.3.0* (https://github.com/apereo/cas/blob/v5.3.0-RC3/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/sso/SsoProperties.java) However, the tricky part is that, next time when user go back to service A , I want the user to *no need to authenticate again*. So it is basically like Service A is using another completely separated CAS server. Without actually using a separated CAS server (I don't want to make another server just for this). One more requirement would be to single logout all ABCD, but I know how to do that so no advice is needed there. Any advice would be appreciated, Thanks! -Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1002b09-eb19-477d-a733-13a6d45bad26%40apereo.org. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1827159704.70324385.1524750195544.JavaMail.zimbra%40lafayette.edu.