I have the same issues with CAS 6.2 and 6.3. Three individual MFA providers work fine when specified with cas.authn.mfa.globalProviderId.
When I try the selection menu by adding the line cas.authn.mfa.provider-selection-enabled=true, I successfully authenticate with any of the three MFA providers that I select from the menu but my website does not let me in. The logs (similar to Philippe's) indicate success and if I go to the CAS URL I see that I am successfully authenticated. Could there be confusion on the part of CAS after the successful MFA authentication because of the three possible MFA providers and so it does not redirect back to the app website properly or pass the right information? Question: Is this a known issue? Has anyone got the selection menu to work with CAS 6.x? Thanks, Paris On Tuesday, October 6, 2020 at 8:52:04 AM UTC-7 Philippe MARASSE wrote: > Folks, > > I'm testing the possibility to let the user choose MFA token to use, in > fact between u2f and google authenticator. > > I have a PHP test page used tho retrieve and show me some attributes. At > the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot > get validated by CAS : > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The > validation request for > ['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be > satisfied. The request is either unrecognized or > unfulfilled.</cas:authenticationFailure> > </cas:serviceResponse> > > In cas_audit, I have : > > 2020-10-06 17:28:50,359 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > 2020-10-06 17:28:50,424 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [result=Service Access > Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, > attributes={...}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > 2020-10-06 17:28:50,427 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > ============================================================= > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_VALIDATE_SUCCESS > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ============================================================= > > If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose > the 2FA but it works... > > Any clue ? > > Regards. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures > Direction de l'Informatique, Support à la Communication et à > l'Organisation (DISCO) > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b78812cb-c8af-44b9-b98a-aa66cea44a61n%40apereo.org.
