I did trace this with SAML tracer which is how I could see when the IDP was redirecting back to CAS or not.
By adjusting the Tomcat session timeout for the IDP this is working as it should. I didn't realize that the CAS client in the IDP would retain the auth info for the next auth request. Since we want the IDP to refer back to CAS for the SSO session I just set the IDP session short and now it is redirecting to CAS as expected. Thanks. Ted F. Fisher Information Technology Services -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Thursday, August 07, 2014 3:35 PM To: [email protected] Subject: Re: [cas-user] CAS integration with Shibboleth IDP > I only want the IDP to get a new ST at each auth, which is what is not > happening. You should provide some evidence to that effect. A browser request trace would show the important interactions. > I think the key here - pointed out by Tom - is that the CAS client is > maintaining a session similar to an SP. The only CAS client in your scenario is the IdP. If you have disabled the SSO support in the IdP along the lines of the wiki page I cited, then you ought to get an ST for every relying party that interacts with the IdP. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
