Skip to Content

Renew: Opting out of SSO

There is a feature of the CAS protocol that allows clients to opt out of single sign on. This feature is called renew. It allows a client to advise the CAS server login to always authenticate a user regardless of whether a single sign on session already exists.

This is a useful feature for when there are certain services that would like to use CAS as the authentication mechanism but allow access to sensitive material. They can force CAS to reauthenticate a user to ensure that they are signing in the correct user (and its not a pre-existing SSO session that wasn't terminated.

To tell CAS to renew the credentials, the client application should redirect the user with a URL similar to the following:

https://server/cas/login?service=serviceUrl&renew=true

When requesting validation of a ticket, a client can ask it to ensure that the ticket is from a new authentication request.