...
Shibboleth IDP uses CUWebLogin for primary authentication. The valid SSO session lasts for 10 hours. If you would like to prompt user for netID/password when they access your site even if user already have valid SSO session in CUWebLogin, you can add forceAuthn="true" should be added in <Host> element.