Interestingly, I think there's a flaw in the webflow. Let's use 2 services, and only the second requires MFA.
Without MFA selector : - Call first service, redirect to cas - Authentication with only login/password ok, redirect to service one. - Service one validate service ticket OK - Call to second service, redirect to cas - CAS shows MFA screen (U2F in my case), Authentication OK, redirect to service two - Service two validate service ticket OK Everything runs fine. With MFA Selector enabled : - Call first service, redirect to cas - Authentication with only login/password ok, redirect to service one. - Service one validate service ticket OK - Call to second service, redirect to cas - Login screen shows login form ?? An exception has been raised (see below) - Authentication can be redone with login/password, no MFA asked, redirected to service - Service two validates service ticket... fails with <cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The validation request for ['ST-5-R2L9TIWs19jdW5DwR-jlcndnNvE-castest'] cannot be satisfied. The request is either unrecognized or unfulfilled.</cas:authenticationFailure> </cas:serviceResponse> cas.log : ============================================================= WHO: audit:unknown WHAT: Transition definition cannot be found for event mfa-composite ACTION: AUTHENTICATION_EVENT APPLICATION: CAS WHEN: Fri Oct 09 14:22:14 CEST 2020 CLIENT IP ADDRESS: x.x.x.x SERVER IP ADDRESS: y.y.y.y ============================================================= > 2020-10-09 14:22:14,440 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <class org.apereo.cas.authentication.AuthenticationException: Transition definition cannot be fo 2020-10-09 14:22:14,440 DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <Transition definition cannot be found for event mfa-composite> org.apereo.cas.authentication.AuthenticationException: Transition definition cannot be found for event mfa-composite at org.apereo.cas.authentication.MultifactorAuthenticationUtils.lambda$validateEventIdForMatchingTransitionInContext$1(MultifactorAuthenticationUtils.java:74) ~[cas-server-core-authentication-mfa-api- at java.util.Optional.map(Optional.java:265) ~[?:?] at org.apereo.cas.authentication.MultifactorAuthenticationUtils.validateEventIdForMatchingTransitionInContext(MultifactorAuthenticationUtils.java:71) ~[cas-server-core-authentication-mfa-api-6.3.0-RC3 at org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.lambda$resolveInternal$0(DefaultMultifactorAuthenticationProviderWebflowEventResolver.java:48) at java.util.Optional.map(Optional.java:265) ~[?:?] Regards. Le 06/10/2020 à 17:51, 'Philippe MARASSE' via CAS Community a écrit : > Folks, > > I'm testing the possibility to let the user choose MFA token to use, in > fact between u2f and google authenticator. > > I have a PHP test page used tho retrieve and show me some attributes. At > the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot > get validated by CAS : > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The > validation request for > ['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be > satisfied. The request is either unrecognized or > unfulfilled.</cas:authenticationFailure> > </cas:serviceResponse> > > In cas_audit, I have : > > 2020-10-06 17:28:50,359 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > 2020-10-06 17:28:50,424 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [result=Service Access > Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, > attributes={...}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > 2020-10-06 17:28:50,427 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_VALIDATE_SUCCESS > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose > the 2FA but it works... > > Any clue ? > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/559dc207-4360-6c4b-7cac-68b9cf30f1df%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
