CAS renew not honored in v3.4.1

Andrew Morgan morgan at
Wed Dec 19 20:26:40 EST 2018

On Thu, 20 Dec 2018, Cantor, Scott wrote:

>> I upgraded from IDP v3.3.1 to v3.4.1 recently.  We have several CAS
>> clients that are using the renew parameter to force a re-auth.  We didn't
>> notice until doing some testing today, but the IDP seems to be ignoring
>> the renew parameter (it uses the SSO session and does not prompt for
>> re-auth).
> I see it processing the parameter so that doesn't seem possible unless 
> the IdP's login methods are misdescribed. What's the login flow 
> situation with it being used?
> Ultimately it's up to the login flows themselves to honor it, but the 
> IdP assumes if one is marked as supporting ForceAuthn that running it 
> will do the right thing.

Hmmm.  I'm using the MFA flow with the Password and Duo sub-flows.

I have idp.authn.favorSSO = false because we needed the MFA flow to run on 
every auth request.  I'm not sure if that is relevant here.

In general-authn.xml, authn/Password, authn/Duo, and authn/MFA have 

Any other info I can share that will help?  Is there is any logging to 
turn on?


More information about the users mailing list