Hi, In fact it's because the ticket validation request from the service has the context "mfa-composite" (multiple MFA), whereas the ticket has the context "mfa-webauthn"
from the logs: *Attempting to match requested authentication context [mfa-composite] against [[mfa-webauthn]]* I've tried to pull request a patch fot this: https://github.com/apereo/cas/pull/5152 This patch is working for me in version 6.2.8 Regards, Thierry Le jeudi 29 avril 2021 à 17:25:50 UTC+2, Linos Giannopoulos a écrit : > Hey! > > I am having the same issue as described above, but I never get redirected > back to the service. > To summarize what we're witnessing: Two MFA providers are enabled globally > (also tried the per-application basis method, with the same results). > Both providers work just fine when used on their own. > > If both of them are enabled, along with the selection provider menu, the > SAML flow breaks. From what I could gather from the logs (and my gut > feeling) is that the provider > that the user did not select is not satisfied, hence we get the issue of > `INVALID_AUTHENTICATION_CONTEXT` in the end. > > We are using CAS 6.3.3, and all the relevant configs that I can think of > follow below: > > ``` > cas.authn.mfa.provider-selection-enabled=true > cas.authn.mfa.globalProviderId=mfa-webauthn,mfa-gauth > ``` > > The exception we get is the following: > ``` > 2021-04-29 18:09:30,624 DEBUG > [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] > > - <Attempting to globally activate [mfa-webauthn,mfa-gauth]> > 2021-04-29 18:09:30,625 DEBUG > [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] > > - <Selected multifactor authentication provider for this transaction is > [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, > > failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, > > failureMode=UNDEFINED, id=mfa-webauthn, order=0), > AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, > > failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, > > failureMode=UNDEFINED, id=mfa-gauth, order=0)], > failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8)]> > 2021-04-29 18:09:30,626 TRACE [org.apereo.cas.util.CollectionUtils] - > <Converting multi-valued element [[mfa-webauthn]]> > 2021-04-29 18:09:30,626 TRACE > [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] > > - <Attempting to match requested authentication context [mfa-composite] > against [[mfa-webauthn]]> > 2021-04-29 18:09:30,627 TRACE > [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] > > - <Available MFA providers are > [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, > > failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, > > failureMode=UNDEFINED, id=mfa-webauthn, order=0), > AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, > > failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, > > failureMode=UNDEFINED, id=mfa-gauth, order=0)]]> > 2021-04-29 18:09:30,628 DEBUG > [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] > > - <Requested authentication provider cannot be recognized.> > 2021-04-29 18:09:30,643 TRACE > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language > bundle [classpath:custom_messages_en_US] for the code > [INVALID_AUTHENTICATION_CONTEXT]> > 2021-04-29 18:09:30,645 DEBUG > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file > found for [classpath:custom_messages_en_US] - neither plain properties nor > XML> > 2021-04-29 18:09:30,646 TRACE > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language > bundle [classpath:messages_en_US] for the code > [INVALID_AUTHENTICATION_CONTEXT]> > 2021-04-29 18:09:30,649 DEBUG > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file > found for [classpath:messages_en_US] - neither plain properties nor XML> > 2021-04-29 18:09:30,649 TRACE > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language > bundle [file:/etc/cas/config/custom_messages_en_US] for the code > [INVALID_AUTHENTICATION_CONTEXT]> > 2021-04-29 18:09:30,650 DEBUG > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file > found for [file:/etc/cas/config/custom_messages_en_US] - neither plain > properties nor XML> > 2021-04-29 18:09:30,650 TRACE > [org.apereo.cas.web.view.CasReloadableMessageBundle] - <The code > [INVALID_AUTHENTICATION_CONTEXT] cannot be found in the language bundle for > the locale [en_US]> > 2021-04-29 18:09:30,749 DEBUG > [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the > received exception > [org.jasig.cas.client.validation.TicketValidationException: The validation > request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be > satisfied. The request is either unrecognized or unfulfilled.] due to a > type mismatch with handler > [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, > > HttpServletRequest)]> > 2021-04-29 18:09:30,749 DEBUG > [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the > received exception > [org.jasig.cas.client.validation.TicketValidationException: The validation > request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be > satisfied. The request is either unrecognized or unfulfilled.] due to a > type mismatch with handler > [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, > > HttpServletRequest)]> > 2021-04-29 18:09:30,751 ERROR > [org.springframework.boot.web.servlet.support.ErrorPageFilter] - > <Forwarding to error page from request [/idp/profile/SAML2/Callback] due to > exception [The validation request for > ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The > request is either unrecognized or unfulfilled.]> > org.jasig.cas.client.validation.TicketValidationException: The validation > request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be > satisfied. The request is either unrecognized or unfulfilled. > at > org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:97) > > ~[cas-client-core-3.6.2.jar:3.6.2] > at > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:199) > > ~[cas-client-core-3.6.2.jar:3.6.2] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlIdPProfileCallbackHandlerController.java:57) > > ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:103) > > ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) > > ~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) > > ~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE] > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) > > ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) > > ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691) > > ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$11f952f8.handleCallbackProfileRequest(<generated>) > > ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) > ~[tomcat9-servlet-api.jar:?] > at > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) > > ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) > ~[tomcat9-servlet-api.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > ~[tomcat9-websocket-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:28) > > ~[cas-server-core-web-api-6.3.3.jar:6.3.3] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:401) > > ~[cas-server-core-web-api-6.3.3.jar:6.3.3] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:200) > > ~[cas-server-core-web-api-6.3.3.jar:6.3.3] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:64) > > ~[cas-server-core-web-api-6.3.3.jar:6.3.3] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) > > ~[spring-security-web-5.4.2.jar:5.4.2] > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) > > ~[spring-security-web-5.4.2.jar:5.4.2] > at > org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:90) > > ~[spring-security-web-5.4.2.jar:5.4.2] > at > org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:78) > > ~[spring-security-web-5.4.2.jar:5.4.2] > at > org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:67) > > ~[spring-security-web-5.4.2.jar:5.4.2] > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) > > ~[spring-boot-actuator-2.3.7.RELEASE.jar:2.3.7.RELEASE] > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) > > ~[cas-server-core-logging-6.3.3.jar:6.3.3] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) > > ~[inspektr-common-1.8.10.GA.jar:1.8.10.GA] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) > > ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE] > at > org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) > > ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE] > at > org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) > > ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE] > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) > > ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > > ~[log4j-web-2.14.0.jar:2.14.0] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) > > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > ~[tomcat9-catalina-9.0.39.jar:9.0.39] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) > ~[tomcat9-coyote-9.0.39.jar:9.0.39] > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > > ~[tomcat9-coyote-9.0.39.jar:9.0.39] > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) > > ~[tomcat9-coyote-9.0.39.jar:9.0.39] > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) > > ~[tomcat9-coyote-9.0.39.jar:9.0.39] > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > > ~[tomcat9-coyote-9.0.39.jar:9.0.39] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > ~[?:?] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > ~[?:?] > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > ~[tomcat9-util-9.0.39.jar:9.0.39] > at java.lang.Thread.run(Thread.java:834) [?:?] > ``` > > Kind regards, > Linos > > > On Friday, December 18, 2020 at 11:07:26 PM UTC+2 Ray Bon wrote: > >> Paris, >> >> The service looks to be held on the server side. So not showing in the >> url is probably not an issue. >> In my test, I do get redirected to the service correctly and the service >> ticket is validated. I do get failed completion for what looks like a >> second check of the mfa process (that happens after ST validation). >> >> Here are my last few log entries: >> >> 2020-12-18 12:23:00,331 TRACE >> [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating >> bean definition for [mfa-yubikey]> [ajp-nio-127.0.0.1-8010-exec-8] >> 2020-12-18 12:23:00,332 TRACE >> [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating >> bean definition for [mfa-duo]> [ajp-nio-127.0.0.1-8010-exec-8] >> 2020-12-18 12:23:00,332 DEBUG >> [h.mfa.trig.RegisteredServiceMultifactorAuthenticationTrigger] - <Selected >> multifactor authentication provider for this transaction is >> [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider( >> bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f, >> >> >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, >> >> failureMode=UNDEFINED, id=mfa-yubikey, order=0), >> AbstractMultifactorAuthenticationProvider( >> bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0, >> >> >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, >> >> failureMode=UNDEFINED, id=mfa-duo, order=0)], >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7)]> >> >> [ajp-nio-127.0.0.1-8010-exec-8] >> 2020-12-18 12:23:00,332 TRACE >> [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - >> <Attempting to match requested authentication context [mfa-composite] >> against [[mfa-yubikey]]> [ajp-nio-127.0.0.1-8010-exec-8] >> 2020-12-18 12:23:00,332 TRACE >> [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Available >> MFA providers are [[AbstractMultifactorAuthenticationProvider( >> bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@f81b717, >> >> >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, >> >> failureMode=UNDEFINED, id=mfa-simple, order=0), >> AbstractMultifactorAuthenticationProvider( >> bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f, >> >> >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, >> >> failureMode=UNDEFINED, id=mfa-yubikey, order=0), >> AbstractMultifactorAuthenticationProvider( >> bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0, >> >> >> failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, >> >> failureMode=UNDEFINED, id=mfa-duo, order=0)]]> >> [ajp-nio-127.0.0.1-8010-exec-8] >> 2020-12-18 12:23:00,333 DEBUG >> [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Requested >> authentication provider cannot be recognized.> >> [ajp-nio-127.0.0.1-8010-exec-8] >> >> It will take looking at the code to see why '... provider cannot be >> recognized'. I suspect something is amiss, maybe the check expects a single >> value but a list is presented (the 'Selected multifactor authentication >> provider ...' log line). >> >> Do you get redirected to your service after mfa? >> >> Ray >> >> P.S. here are my loggers: >> >> >> <AsyncLogger name="org.apereo.cas.authentication" level="trace" /> >> <AsyncLogger >> name="org.apereo.cas.authentication.PolicyBasedAuthenticationManager" >> level="trace" /> >> <AsyncLogger name="org.apereo.cas.mfa" level="trace" /> >> >> On Fri, 2020-12-18 at 10:05 -0800, Paris Polydorou wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> Looking at my debug logs and comparing the cases of the single MFA >> provider and of the MFA selection menu I found that the service information >> is lost after a successful password authentication. E.g. the POST command >> at the MFA token page only contains cas/login instead of >> cas/login?service=... and there are also log entries of service=null >> instead of the service provider's URL. >> >> I am very new to CAS but I believe that when using the MFA selection >> menu, after a successful authentication, the communication of the results >> to the service provider is invalid. This is the case for versions 6.2.6 and >> the latest 6.3 RC. >> >> On Wednesday, December 16, 2020 at 1:19:27 PM UTC-8 Paris Polydorou wrote: >> >> Thank you Ray. I wasn't aware of the change. >> >> Unfortunately there is no improvement after I updated the property name: >> My password is accepted, I select one of the MFA providers from the >> selection menu, my MFA response is also successful but the communication of >> this success by CAS to the app website has a problem. >> >> Best, >> Paris >> >> On Wed, Dec 16, 2020 at 12:14 PM Ray Bon <[email protected]> wrote: >> >> Paris, Philippe, >> >> I think all properties are now camel case, docs have not been updated. >> >> provider-selection-enabled => providerSelectionEnabled >> >> Ray >> >> On Wed, 2020-12-16 at 11:17 -0800, Paris Polydorou wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> I have the same issues with CAS 6.2 and 6.3. Three individual MFA >> providers work fine when specified with cas.authn.mfa.globalProviderId. >> >> When I try the selection menu by adding the line >> cas.authn.mfa.provider-selection-enabled=true, I successfully authenticate >> with any of the three MFA providers that I select from the menu but my >> website does not let me in. The logs (similar to Philippe's) indicate >> success and if I go to the CAS URL I see that I am successfully >> authenticated. >> >> Could there be confusion on the part of CAS after the successful MFA >> authentication because of the three possible MFA providers and so it does >> not redirect back to the app website properly or pass the right information? >> >> Question: Is this a known issue? Has anyone got the selection menu to >> work with CAS 6.x? >> >> Thanks, >> Paris >> >> On Tuesday, October 6, 2020 at 8:52:04 AM UTC-7 Philippe MARASSE wrote: >> >> Folks, >> >> I'm testing the possibility to let the user choose MFA token to use, in >> fact between u2f and google authenticator. >> >> I have a PHP test page used tho retrieve and show me some attributes. At >> the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot >> get validated by CAS : >> >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The >> validation request for >> ['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be >> satisfied. The request is either unrecognized or >> unfulfilled.</cas:authenticationFailure> >> </cas:serviceResponse> >> >> In cas_audit, I have : >> >> 2020-10-06 17:28:50,359 INFO >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> Audit trail record BEGIN >> ============================================================= >> WHO: xxx >> WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for >> http://php2/portail/cas61.php >> ACTION: SERVICE_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Tue Oct 06 17:28:50 CEST 2020 >> CLIENT IP ADDRESS: >> SERVER IP ADDRESS: >> ============================================================= >> >> 2020-10-06 17:28:50,424 INFO >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> Audit trail record BEGIN >> ============================================================= >> WHO: audit:unknown >> WHAT: [result=Service Access >> Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, >> >> attributes={...}] >> ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED >> APPLICATION: CAS >> WHEN: Tue Oct 06 17:28:50 CEST 2020 >> CLIENT IP ADDRESS: >> SERVER IP ADDRESS: >> ============================================================= >> >> 2020-10-06 17:28:50,427 INFO >> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> Audit trail record BEGIN >> ============================================================= >> WHO: xxx >> WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for >> http://php2/portail/cas61.php >> ACTION: SERVICE_TICKET_VALIDATE_SUCCESS >> APPLICATION: CAS >> WHEN: Tue Oct 06 17:28:50 CEST 2020 >> CLIENT IP ADDRESS: >> SERVER IP ADDRESS: >> ============================================================= >> >> If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose >> the 2FA but it works... >> >> Any clue ? >> >> Regards. >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures >> Direction de l'Informatique, Support à la Communication et à >> l'Organisation (DISCO) >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> >> >> >> -- >> >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/a/apereo.org/d/topic/cas-user/68VUgirrfo0/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d0e999a5b908c1fdae0b22dbee3ad19cc9fe757.camel%40uvic.ca >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d0e999a5b908c1fdae0b22dbee3ad19cc9fe757.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/95f174e9-3e0a-4cc9-96ca-01d24698d781n%40apereo.org.
