IdP version 2 no previous session login handler and principal change

[Scott Koranda]

Hi,

This query is about IdP version 2.4.x.

For a particular deployment the previous session login handler
is disabled.

The only active login handler is the UsernamePassword
login handler. 

The IdP session timeout is left at its default (30 minutes)
and the authentication duration for the login handler is
also at its default (30 minutes).

I noticed this behavior:

- start with a clean browser

- SAML2 SSO flow authenticating with 'principal1'
  results in an assertion with attributes resolved for
  'principal1' as expected

- another immediate SAML2 SSO flow authenticating with
  'principal2' results in an assertion with attributes
  resolved for 'principal2' as expected

- another immediate SAML2 SSO flow authenticating with
  'principal1' results in an assertion with attributes
  resolved for 'principal2',which is not what I expected

I am logging at the DEBUG level and have confirmed that the
IdP correctly "sees" the principal coming back from JAAS
authentication in the order 'principal1', 'principal2',
'principal1'.

It appears that the IdP switches principals from principal1 to
principal2 as I would expect, but does not later switch back
to principal1.

I can easily get the behavior I expect by reducing the IdP
session length to, say, 5 seconds, but I am wondering if the
"stickyness" of principal2 is expected behavior?

My apologies if this is documented somewhere or has been
discussed in an email thread I cannot find. Please kindly
point me to it.

Thanks,

Scott K

P.S. The behavior was originally observed when using only the
CAS login handler. I tested UsernamePassword to take the CAS
login handler out of the picture.

When using the CAS login handler the CAS session is cleared
between each authentication by hitting the /cas/logout
endpoint.

By CAS login handler I mean the Unicon CAS login handler at

https://github.com/Unicon/shib-cas-authn2