Hi.
I recently integrated CAS with Liferay 6.2, because I have a website that needs to use Liferay users as a repository for all federated websites.

CAS is working flawlessly when authenticating users. The advantage with this implementation is that CAS only does authentication while Liferay manages everything related to User credential (anyway Liferay is entirely under HTTPS).

But I noticed a very undesidered behaviour with the 'forgot password'. I placed a link on the CAS login page that redirects the users in the Liferay page for the lost password. So the flow is this.

1. User enter Liferay and click on Login.
2. User is redirected to CAS and click on the link 'Forgot Password'
3. The User is redirected to a Liferay login portlet in the 'forgot password' view (maybe the link must have some special properties ?)
4. The user compiles his email and the captcha.
5. The user receive the reset link in email , but in the meanwhile he's redirected again with the standard liferay 'login' page !! (but this is incorrect anyway, cas or not, because the user should access with a reset link)

At the point 5 I should have only a message telling me that an email has been sent, and no more. There's no use for a login prompt there.

And ... there's the following problem after the password reset :
The user is logged on after password update (through email link) completely bypassing CAS . There's is some way to avoid AutoLogin after password renewal ?