If the renew flag is set and the user logs into CAS a second time using
another method than the original the old authentication metadata is
still send to the app in response to the ST if the user names match.
This is an issue if you're accepting authN from multiple domains that
may have overlapping user names. What should happen is that the old
authentication metedata should only be returned if the user and
authenticationMethod both match. Otherwise a new TGT should be issued.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
