CAS renew not honored in v3.4.1
Andrew Morgan
morgan at orst.edu
Wed Dec 19 20:26:40 EST 2018
On Thu, 20 Dec 2018, Cantor, Scott wrote:
>> I upgraded from IDP v3.3.1 to v3.4.1 recently. We have several CAS
>> clients that are using the renew parameter to force a re-auth. We didn't
>> notice until doing some testing today, but the IDP seems to be ignoring
>> the renew parameter (it uses the SSO session and does not prompt for
>> re-auth).
>
> I see it processing the parameter so that doesn't seem possible unless
> the IdP's login methods are misdescribed. What's the login flow
> situation with it being used?
>
> Ultimately it's up to the login flows themselves to honor it, but the
> IdP assumes if one is marked as supporting ForceAuthn that running it
> will do the right thing.
Hmmm. I'm using the MFA flow with the Password and Duo sub-flows.
I have idp.authn.favorSSO = false because we needed the MFA flow to run on
every auth request. I'm not sure if that is relevant here.
In general-authn.xml, authn/Password, authn/Duo, and authn/MFA have
p:forcedAuthenticationSupported="true".
Any other info I can share that will help? Is there is any logging to
turn on?
Thanks,
Andy
More information about the users
mailing list