After some more digging I found that the problem is that after activating MFA with Google SSO, if you try to log in there is an error because the template is expecting a OneTimeTokenCredential but it is receiving a ClientCredential.
How can I convert a ClientCredential to a OneTimeTokenCredential? Greetings. On Wednesday, February 22, 2023 at 3:19:28 PM UTC+1 ial...@denodo.com wrote: > Hi, > > What if it's not possible, any clue why the bypass rules are not applied? > Also, I have found that using Google, the id in the credentials object is > "NotYetAuthenticated-XXXXX" because in the ClientCredential class in the > getID method this.userprofile is null. > > But I am supposed to be authenticated, as I have logged in before trying > to activate MFA. > > Regards. > > On Tuesday, February 21, 2023 at 6:02:28 PM UTC+1 Ray Bon wrote: > >> Iago, >> >> If you are using Cas 5, upgrade, then check if the problem still happens. >> >> Ray >> >> On Mon, 2023-02-20 at 03:04 -0800, 'Iago Alonso Alonso' via CAS Community >> wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> I am working on a project that uses Apereo CAS 5.x.x to handle user >> authentication and users can activate MFA. When logging in, the user can >> use their Active Directory credentials or log in via Google OAuth (which it >> is supported as shown in the documentation >> <https://apereo.github.io/cas/6.6.x/mfa/GoogleAuthenticator-Authentication.html>). >> >> Unfortunately, we have found that when the user logs in via Google OAuth, >> the MFA flow is broken. >> >> If the user logs in with the AD credentials and tries to activate MFA, >> the operation works as expected. The user gets the page to activate MFA and >> after that the user is sent to the page to copy the codes, finish binding >> the authenticator application and is shown the success message at the end. >> >> But if the user logs in with their Google account, the user is able to go >> to the initial page of the MFA activation process and when the Activate >> button is clicked, the user is stuck in that view. >> >> Researching how Apereo CAS works in their documentation >> <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol.html#web-flow-diagram>, >> >> I have discovered that the process gets stuck here as in the browser the >> URL looks like that: >> >> [image: enter image description here] >> <https://i.stack.imgur.com/ZaUVY.png> >> >> Also, in the application logs I have observed that when the AD >> credentials are used CAS says: >> >> *Bypass rules determined MFA should execute for user [XXXXX] for provider >> [mfa-gauth]* >> >> But if the Google credentials are used CAS says: >> >> *Bypass rules determined MFA should NOT execute for user [XXXXX] for >> provider [mfa-gauth]* >> >> And because of that, CAS issues a new session ticket: >> >> *Finalizing authentication transactions and issuing ticket-granting >> ticket Finalizing authentication event... Creating ticket-granting ticket, >> potentially based on >> [********************************************************] Located >> ticket-granting ticket in the context. Retrieving associated authentication >> Resulting authentication is different from the context Attempting to issue >> anew ticket-granting ticket... * >> >> I guess the crux of the matter is in this sentence: >> >> *Resulting authentication is different from the context* >> >> Because the application does the redirection as how it should be done >> with something like: >> >> >> https://server/cas/login?renew=true&service=http%3A%2F%2Fwww.service.com/mfa&authn_method=mfa-gauth >> >> As it is explained here in the documentation >> <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-V2-Specification.html#212-url-examples-of-login> >> >> with the third example. >> >> What is being done wrong? I am quite lost and have not been able to make >> any progress. >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/155d8eb6-b3b0-4a0f-ab17-523d5089dd2en%40apereo.org.
