Paris, The service looks to be held on the server side. So not showing in the url is probably not an issue. In my test, I do get redirected to the service correctly and the service ticket is validated. I do get failed completion for what looks like a second check of the mfa process (that happens after ST validation).
Here are my last few log entries: 2020-12-18 12:23:00,331 TRACE [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating bean definition for [mfa-yubikey]> [ajp-nio-127.0.0.1-8010-exec-8] 2020-12-18 12:23:00,332 TRACE [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating bean definition for [mfa-duo]> [ajp-nio-127.0.0.1-8010-exec-8] 2020-12-18 12:23:00,332 DEBUG [h.mfa.trig.RegisteredServiceMultifactorAuthenticationTrigger] - <Selected multifactor authentication provider for this transaction is [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f<mailto:bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f>, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>, failureMode=UNDEFINED, id=mfa-yubikey, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0<mailto:bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0>, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>, failureMode=UNDEFINED, id=mfa-duo, order=0)], failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>)]> [ajp-nio-127.0.0.1-8010-exec-8] 2020-12-18 12:23:00,332 TRACE [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Attempting to match requested authentication context [mfa-composite] against [[mfa-yubikey]]> [ajp-nio-127.0.0.1-8010-exec-8] 2020-12-18 12:23:00,332 TRACE [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Available MFA providers are [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@f81b717<mailto:bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@f81b717>, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>, failureMode=UNDEFINED, id=mfa-simple, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f<mailto:bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f>, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>, failureMode=UNDEFINED, id=mfa-yubikey, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0<mailto:bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0>, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7<mailto:failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7>, failureMode=UNDEFINED, id=mfa-duo, order=0)]]> [ajp-nio-127.0.0.1-8010-exec-8] 2020-12-18 12:23:00,333 DEBUG [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Requested authentication provider cannot be recognized.> [ajp-nio-127.0.0.1-8010-exec-8] It will take looking at the code to see why '... provider cannot be recognized'. I suspect something is amiss, maybe the check expects a single value but a list is presented (the 'Selected multifactor authentication provider ...' log line). Do you get redirected to your service after mfa? Ray P.S. here are my loggers: <AsyncLogger name="org.apereo.cas.authentication" level="trace" /> <AsyncLogger name="org.apereo.cas.authentication.PolicyBasedAuthenticationManager" level="trace" /> <AsyncLogger name="org.apereo.cas.mfa" level="trace" /> On Fri, 2020-12-18 at 10:05 -0800, Paris Polydorou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Looking at my debug logs and comparing the cases of the single MFA provider and of the MFA selection menu I found that the service information is lost after a successful password authentication. E.g. the POST command at the MFA token page only contains cas/login instead of cas/login?service=... and there are also log entries of service=null instead of the service provider's URL. I am very new to CAS but I believe that when using the MFA selection menu, after a successful authentication, the communication of the results to the service provider is invalid. This is the case for versions 6.2.6 and the latest 6.3 RC. On Wednesday, December 16, 2020 at 1:19:27 PM UTC-8 Paris Polydorou wrote: Thank you Ray. I wasn't aware of the change. Unfortunately there is no improvement after I updated the property name: My password is accepted, I select one of the MFA providers from the selection menu, my MFA response is also successful but the communication of this success by CAS to the app website has a problem. Best, Paris On Wed, Dec 16, 2020 at 12:14 PM Ray Bon <[email protected]> wrote: Paris, Philippe, I think all properties are now camel case, docs have not been updated. provider-selection-enabled => providerSelectionEnabled Ray On Wed, 2020-12-16 at 11:17 -0800, Paris Polydorou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I have the same issues with CAS 6.2 and 6.3. Three individual MFA providers work fine when specified with cas.authn.mfa.globalProviderId. When I try the selection menu by adding the line cas.authn.mfa.provider-selection-enabled=true, I successfully authenticate with any of the three MFA providers that I select from the menu but my website does not let me in. The logs (similar to Philippe's) indicate success and if I go to the CAS URL I see that I am successfully authenticated. Could there be confusion on the part of CAS after the successful MFA authentication because of the three possible MFA providers and so it does not redirect back to the app website properly or pass the right information? Question: Is this a known issue? Has anyone got the selection menu to work with CAS 6.x? Thanks, Paris On Tuesday, October 6, 2020 at 8:52:04 AM UTC-7 Philippe MARASSE wrote: Folks, I'm testing the possibility to let the user choose MFA token to use, in fact between u2f and google authenticator. I have a PHP test page used tho retrieve and show me some attributes. At the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot get validated by CAS : <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The validation request for ['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be satisfied. The request is either unrecognized or unfulfilled.</cas:authenticationFailure> </cas:serviceResponse> In cas_audit, I have : 2020-10-06 17:28:50,359 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: xxx WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for http://php2/portail/cas61.php ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= 2020-10-06 17:28:50,424 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: [result=Service Access Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, attributes={...}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= 2020-10-06 17:28:50,427 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: xxx WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for http://php2/portail/cas61.php ACTION: SERVICE_TICKET_VALIDATE_SUCCESS APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose the 2FA but it works... Any clue ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected] I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group. To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/68VUgirrfo0/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d0e999a5b908c1fdae0b22dbee3ad19cc9fe757.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d0e999a5b908c1fdae0b22dbee3ad19cc9fe757.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/152679fa81199b2f5519197e4bab6d3ad810c2df.camel%40uvic.ca.
