[cas-user] CAS 6.4, Skip MFA for NonInteractiveCredentialsAction

Thu, 16 Dec 2021 16:55:04 -0800 

Hi there,

CAS 6.4.x.  we have global MFA turned on for all requests, but we want our 
SSO traffic to skip MFA.   I run into problem with CAS looking for 
simple-mfa during our SSO login flow.  I followed the CAS' source on token 
authentication, but has not found a solution.

The following are some info.  Thanks in advance!  

cas.properties:

cas.authn.mfa.triggers.global.global-provider-id=mfa-simple
cas.authn.mfa.simple.name=mfa-simple
cas.authn.mfa.simple.order=1

service json:

  "multifactorPolicy" : {
        "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
        "bypassPrincipalAttributeName": "questSkipMFA"
  }    

we have a separate SSO authenticationHandler that will set principal 
attribute, so that MFA module will know to skip MFA.

this is my SSO webflow, once SSO passes, we issue TGT,  and authN 
completes. 

public class SsoLoginWebflowConfigurer  extends 
AbstractCasWebflowConfigurer  {
    } 
    
    @Override
    protected void doInitialize() {
        val flow = getLoginFlow();
        if (flow != null) {
                val state = getState(flow, 
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class);
            createTransitionForState(state, 
TRANSITION_ID_SSO_AUTHENTICATION_CHECK, STATE_ID_SSO_AUTHENTICATION_CHECK);
                
            val actionState = createActionState(flow, 
STATE_ID_SSO_AUTHENTICATION_CHECK,
                
createEvaluateAction("oktaSamlNonInteractiveCredentialsAction"));
            
            createTransitionForState(actionState, 
CasWebflowConstants.TRANSITION_ID_ERROR, "lsmSAMLFailed");
            val lsmSamlFailed = createViewState(flow, "lsmSAMLFailed", 
"error/casLsmTokenErrorView");
            createStateDefaultTransition(lsmSamlFailed, "viewLoginForm");
            
            createTransitionForState(actionState, 
CasWebflowConstants.TRANSITION_ID_SUCCESS, 
                            
CasWebflowConstants.STATE_ID_CREATE_TICKET_GRANTING_TICKET);
                    
                  
                   .........

here is the error I get. I looks like CAS is looking for mfa-simple state 
(probably because I have globally turned on MFA).   How can I append the 
mfa-simple flow into this flow definition?  And when I do so, I assume it 
will note the attribute and skip the actual mfa flow?

2021-12-17 00:42:17,828 DEBUG 
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
 
- <Attempting to globally activate [mfa-simple]>
2021-12-17 00:42:17,832 DEBUG 
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
 
- <Resolved single multifactor provider 
[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@673afa7f,
 
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@48b482d7,
 
failureMode=CLOSED, id=mfa-simple, order=0)]>
2021-12-17 00:42:17,832 TRACE 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
<Attempting to find a matching transition for event id [mfa-simple]>
2021-12-17 00:42:17,833 TRACE 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Reviewing 
current state [[ActionState@64f89202 id = 
'oktaSamlSSONonInteractiveCredentials', flow = 'login', entryActionList = 
list[[empty]], exceptionHandlerSet = list[[empty]], actionList = 
list[[EvaluateAction@71a47cf2 expression = 
oktaSamlNonInteractiveCredentialsAction, resultExpression = [null]]], 
transitions = list[[Transition@36169b00 on = success, to = 
realSubmitSamlSSO], [Transition@fe2f399 on = error, to = lsmSAMLFailed]], 
exitActionList = list[[empty]]]], event [oktaSAML] and transition 
[[Transition@37398daa on = oktaSAML, to = 
oktaSamlSSONonInteractiveCredentials]]>
2021-12-17 00:42:17,834 ERROR 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <State 
[oktaSamlSSONonInteractiveCredentials:oktaSAML:oktaSAML] does not have a 
matching transition for mfa-simple>
2021-12-17 00:42:17,836 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- <State [oktaSamlSSONonInteractiveCredentials:oktaSAML:oktaSAML] does not 
have a matching transition for mfa-simple>


== end ==

Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df95fadd-0fbc-4944-8668-51f6443f4fd9n%40apereo.org.

Reply via email to