shib-cas-authn2 and forceAuthn

Scott Koranda skoranda at
Mon Sep 8 23:37:35 EDT 2014


I have deployed the current version of shib-cas-authn2 with the
Shibboleth IdP 2.4.0 and CAS 4.0.0 following the instructions at

Delegation to CAS appears to be working fine. The CAS login handler is
the only login handler defined in handler.xml (outside of the previous
session handler--I understand the implications of leaving that defined
and it will most likely be removed later) and the standard
authentication flow is working as expected.

The attraction of the shib-cas-authn2 approach over the REMOTE_USER
approach is support for SAML2 forced reauthentication and isPassive.

I do not, however, see any instructions at

on how to configure the login handler to support either forced
reauthentication or isPassive.

I decided to simply try it and used a Shibboleth SP and the Native SP
session creation parameter 'forceAuthn=1'. This resulted in a SAML
error sent by the IdP and the log message

"Force authentication requested but no login handlers available to support it".

How do I configure shib-cas-authn2 to respond appropriately to
AuthnRequests with forced reauthentication or isPassive?

I also looked in detail at the code for CasLoginHandler. I expected
that during the constructor call I would see




They are not invoked there but instead are invoked during login().
Will that work? I would have thought that the IdP needs to know at the
time it creates the login handler whether or not it supports forced
reauthentication and isPassive. What am I missing?


Scott K

More information about the users mailing list