shib-cas-authn2 and forceAuthn

Misagh Moayyed mmoayyed at
Tue Sep 16 11:41:25 EDT 2014

In reference to the issue of configuring support for both forced and
passive authentication in the CAS login handler, thought I'd point out
that the issue is now fixed here: 

-----Original Message-----
From: Misagh Moayyed [mailto:mmoayyed at] 
Sent: Tuesday, September 9, 2014 9:21 AM
To: 'Shib Users'
Subject: RE: shib-cas-authn2 and forceAuthn

Thanks for clarification. This indeed is something we should fix with the
handler to set support for both flags during the ctor call rather than
during login().

We'll take this up shortly and will also update the documentation to note
how these flags are auto-set by the handler.

-----Original Message-----
From: users-bounces at [mailto:users-bounces at]
On Behalf Of Cantor, Scott
Sent: Monday, September 8, 2014 8:42 PM
To: Shib Users
Subject: Re: shib-cas-authn2 and forceAuthn

On 9/8/14, 11:37 PM, "Scott Koranda" <skoranda at> wrote:
>I also looked in detail at the code for CasLoginHandler. I expected 
>that during the constructor call I would see
>They are not invoked there but instead are invoked during login().
>Will that work? I would have thought that the IdP needs to know at the 
>time it creates the login handler whether or not it supports forced 
>reauthentication and isPassive. What am I missing?

I can't speak to that handler, but I can confirm that those do have to be
set at construction time, the IdP walks the handler list looking for one
that reports it can support it.

For the handlers in the IdP, it's controlled with an XML attribute in the
LoginHandler element.

-- Scott

To unsubscribe from this list send an email to
users-unsubscribe at

More information about the users mailing list