Hello,
We think we might have found an issue we can reproduce where enabling
MFA bypass (not just MFA but bypass) is preventing SSO session to be
shared across services. This issue can be reproduced with both 6.4.0-RC5
and 6.4.0-RC6 (and maybe other versions as well).
Here is our scenario, we have 2 services configured with CAS.
Service A (RegexRegisteredService): Uses Username, Password and MFA
(GoogleAuth)
Service B (SamlRegisteredService): uses SAML2 with CAS as the IdP
The MFA can be optionally bypassed by examining an attribute of the
principal.
If we first sign into Service A successfully using Username, Password, and
MFA Token and then attempt to navigate to the URL for Service B this works
well (as expected).
However, if we attempt to specify bypass rules for bypassing MFA based on a
principal attribute (either using cas.properties or groovy script), when we
access Service B after successfully authenticating with Service A, CAS
forces a re-authentication of the user for Service B. This seems to work
fine as long as we do not enable MFA bypass (plain MFA works).
We have asked in the CAS Community and have not heard back from anyone
having the same issue. Does bypass require special configuration? We dont
want to report an issue if this is due to a misconfiguration/mistake at our
end. We'd be happy to help with researching a solution for this but are not
clear about where to start looking and what the flows are. Any help would
be appreciated.
Regards,
Purush
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/6db18c3f-28e7-4099-9851-1c7ce491a9c7n%40apereo.org.
