Currently testing an upgrade to CAS 7.0.2 and running into an issue
where if the user authenticates with Spnego/Kerberos, Duo-MFA will not
trigger properly (user is dropped back to the standard login page, which
works fine). The same config works fine in CAS 6.6.x if I flip back and
I've tried switching to MFA to trigger globally, by attribute, etc.,
etc.. and see the same behavior.
The error message that is thrown is:
2024-04-02 14:27:29,422 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <State [spnego:success:success] does not have a matching transition
for mfa-duo>
I'm not terribly familiar with the frameworks CAS uses, so not sure the
best way to poke at it to try and find the underlying issue. I turned on
trace and the state of 7.0.x before the error is:
2024-04-01 15:15:21,175 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@1778ddbb id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@60d6801e expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@69dd918c on = success, to =
createTicketGrantingTicket], [Transition@73437e5d on = error, to =
viewLoginForm], [Transition@e79c832 on = warn, to = warn],
[Transition@5f3d4943 on = authenticationFailure, to = viewLoginForm],
[Transition@5a69e2d9 on = successWithWarnings, to =
showAuthenticationWarningMessages]], exitActionList =
list[[EvaluateAction@32b0ce5f expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@72c8a863 on = success, to = spnego]]>
Whereas in 6.6.x, it looks like the state has the necessary transitions.
2024-04-01 15:07:02,344 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@4575c53f id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@66a1941c expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@5af3c5cf on = success, to =
createTicketGrantingTicket], [Transition@44f05cc4 on = error, to =
viewLoginForm], [Transition@65ee10f9 on = warn, to = warn],
[Transition@ed96d46 on = authenticationFailure, to = viewLoginForm],
[Transition@4ac01cef on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@c907f0f on = deny, to =
mfaDenied], [Transition@196ccfbc on = unavailable, to = mfaUnavailable],
[Transition@5c9a328a on = mfa-duo, to = mfa-duo]], exitActionList =
list[[EvaluateAction@16f76a92 expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@19101744 on = success, to = spnego]]>
In any case, any help that can be given would be greatly appreciated,
since this is blocking an upgrade for us until I figure it out.
Thanks in advance,
Matt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/654fe46f-01e7-40dd-a9a6-783226cf7f9d%40melson.fastmail.net.
