I had a (maybe simple) question about the CAS protocol.
From what I read in the protocol description, using the renew parameter in the /serviceValidate call force the user to provide its crendential again.
2.5.1. parameters
The following HTTP request parameters MAY be specified to /serviceValidate. They are case sensitive and MUST all be handled by /serviceValidate.[…]
renew [OPTIONAL] – if this parameter is set, ticket validation will only succeed if the service ticket was issued from the presentation of the user’s primary credentials. It will fail if the ticket was issued from a single sign-on session.
Since each ticket is specific to a given service, does that mean that the renew parameter force the user to provide its credentials each time he attempt to access the application, even if he already logged in and used other applications ?
Setting “renew=true” on a /serviceValidate URI indicates that a service ticket request will only be validated by CAS if the user obtained that ticket through presenting primary credentials (user id, psw). So, if you are attempting to validate a service ticket when you have already established an SSO sessionin a prior attempt, setting “renew=true” to true will cause the validation to fail.
However, if you are attempting to force the user to enter his credentials every time using the /login URI call to the CAS server, then “renew=true” would be the parameter to use. In other words, if application X is specified as a service URL to the /login URL and renew is set to true, users will be forced to provide credentials regardless of whether or not a previous SSO session exists.
Hope that helps. 🙂