Ben, This policy would prevent a login _after_ the REST session was established, https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-UniquePrincipal.html
There is also a custom groovy script option, https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-Groovy.html Not sure if the script has access to the login flow session, and consequently, the service. Other authn policies, https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy.html Ray On Fri, 2023-11-10 at 05:08 -0800, Ben P wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Dear CAS-Community, In our setup we'd like to use the TGT Rest mechanism (https://apereo.github.io/cas/6.5.x/protocol/REST-Protocol-Request-TicketGrantingTicket.html) for a specific(!) user (backed by LDAP) but do not allow a web-login for this user. So bascially any tried weblogin should be ignored by CAS (resp LDAP) and the account should not be locked Any ideas to accomplish this? tnx & regards -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31def1e208fa1862672e4d3e48c3e1f62fb4c23d.camel%40uvic.ca.