I am seeing an issue in CAS version 5.2.4 and above. I was not seeing the issue in version 5.0.5 which I upgraded from. If a user is in bypass on the Duo website, CAS returns and error about INVALID_AUTHENTICATION_CONTEXT, but if the it should just let the user throgh.
CAS Info: CAS Version: 5.2.4 CAS Commit Id: 67d7e128955437619534b5af4819f2379b934353 CAS Build Date/Time: 2018-04-13T21:46:16Z Spring Boot Version: 1.5.12.RELEASE ------------------------------------------------------------ Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre Java Vendor: Oracle Corporation Java Version: 1.8.0_181 JVM Free Memory: 95 MB JVM Maximum Memory: 990 MB JVM Total Memory: 213 MB JCE Installed: Yes ------------------------------------------------------------ OS Architecture: amd64 OS Name: Linux OS Version: 4.4.0-130-generic OS Date/Time: 2018-08-14T09:22:13.889 OS Temp Directory: /tmp/tomcat8-tomcat8-tmp ------------------------------------------------------------ Here are the logs of a login of a user that is in bypass on the Duo side: 2018-08-14 09:23:09,480 INFO [PolicyBasedAuthenticationManager] - < Authenticated principal [klintduotest] with attributes [{displayName=[ klintduotest], GOBTPAC_EXTERNAL_USER=[klintduotest], memberOf=[CN=auth_duoOU =groups,DC=example,DC=com], msDS-UserPasswordExpiryTimeComputed=[ 132094270306397245], pwdLastSet=[131778046306397245], sAMAccountName=[ klintduotest]}] via credentials [[klintduotest]].> 2018-08-14 09:23:09,481 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintduotest WHAT: Supplied credentials: [klintduotest] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Aug 14 09:23:09 MDT 2018 CLIENT IP ADDRESS: 192.168.1.176 SERVER IP ADDRESS: 192.168.1.25 ============================================================= > 2018-08-14 09:23:09,786 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintduotest WHAT: [event=mfa-duo,timestamp=Tue Aug 14 09:23:09 MDT 2018,source= RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver ] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Tue Aug 14 09:23:09 MDT 2018 CLIENT IP ADDRESS: 192.168.1.176 SERVER IP ADDRESS: 192.168.1.25 ============================================================= > 2018-08-14 09:23:10,198 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintduotest WHAT: TGT-1-*********************************************************H4tIURR -L4-te-casdev1 ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Tue Aug 14 09:23:10 MDT 2018 CLIENT IP ADDRESS: 192.168.1.176 SERVER IP ADDRESS: 192.168.1.25 ============================================================= > 2018-08-14 09:23:10,255 INFO [DefaultCentralAuthenticationService] - < Granted ticket [ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1] for service [ https://hadoopdev1.weber.edu/casdev1/] and principal [klintduotest]> 2018-08-14 09:23:10,256 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintduotest WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1 for https://hadoopdev1.weber.edu/casdev1/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Aug 14 09:23:10 MDT 2018 CLIENT IP ADDRESS: 192.168.1.176 SERVER IP ADDRESS: 192.168.1.25 ============================================================= > 2018-08-14 09:23:10,382 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintduotest WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Tue Aug 14 09:23:10 MDT 2018 CLIENT IP ADDRESS: 192.168.1.35 SERVER IP ADDRESS: 192.168.1.25 ============================================================= > 2018-08-14 09:23:10,393 WARN [DefaultAuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.> CAS Response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The validation request for ['ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1'] cannot be satisfied. The request is either unrecognized or unfulfilled. </cas:authenticationFailure> </cas:serviceResponse> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da892577-3208-4b97-b273-c4d986a11c90%40apereo.org.