forceAuthn behavior

Peter Schober peter.schober at
Wed Dec 19 05:45:19 EST 2018

* Manolo Garcia Alvarez <mgarciaal at> [2018-12-19 08:54]:
> Our problem is caused by this lack of synchrony: A CAS session may expire
> much earlier than the Shibboleth session. We have tried to avoid the
> problem using the forceAuthn in the SAML Request, but Shibboleth is not
> behaving as expected and it's returning a CAS session that's expired.

You're didn't mention the exact integration method between your Shib
IDP and your CAS server. (I believe there are several ways to do this.)
Probably that's just been done in a way that does not support
forceAuthn (nor isPassive, I'm guessing)?

Also note that the Shib IDP supports the CAS protocol itself and so
you might get several benefits out of using that instead of having to
run two separate SSO systems.


More information about the users mailing list