Ben,
This policy would prevent a login _after_ the REST session was established,
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy-UniquePrincipal.html
There is also a custom groovy script option,
https://apereo.github.io/cas/6.6.x/authentication/Configuring-Au
Dear CAS-Community,
In our setup we'd like to use the TGT Rest mechanism
(https://apereo.github.io/cas/6.5.x/protocol/REST-Protocol-Request-TicketGrantingTicket.html)
for a specific(!) user (backed by LDAP) but
do not allow a web-login for this user.
So bascially any tried weblogin should be