> Expiration date is just an example, consider account status as another > example.
You'd need a custom authentication handler for this, but the authentication handler API for CAS is very extensible. If you can conceive it, it can probably be done. Your former requirement of varying principal by service will be the killer. Principal resolution happens at the beginning of the SSO session when you log in, which is far to late in the process to engage the standard credential-to-principal transform machinery you're interested in when the service requests a ticket. The principal is already created and cached by that point. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
