Currently testing an upgrade to CAS 7.0.2 and running into an issue
where if the user authenticates with Spnego/Kerberos, Duo-MFA will not
trigger properly (user is dropped back to the standard login page, which
works fine). The same config works fine in CAS 6.6.x if I flip back and
I've tried switching to MFA to trigger globally, by attribute, etc.,
etc.. and see the same behavior.
The error message that is thrown is:
2024-04-02 14:27:29,422 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <State [spnego:success:success] does not have a matching transition
for mfa-duo>
I'm not terribly familiar with the frameworks CAS uses, so not sure the
best way to poke at it to try and find the underlying issue. I turned on
trace and the state of 7.0.x before the error is:
2024-04-01 15:15:21,175 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@1778ddbb id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@60d6801e expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@69dd918c on = success, to =
createTicketGrantingTicket], [Transition@73437e5d on = error, to =
viewLoginForm], [Transition@e79c832 on = warn, to = warn],
[Transition@5f3d4943 on = authenticationFailure, to = viewLoginForm],
[Transition@5a69e2d9 on = successWithWarnings, to =
showAuthenticationWarningMessages]], exitActionList =
list[[EvaluateAction@32b0ce5f expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@72c8a863 on = success, to = spnego]]>
Whereas in 6.6.x, it looks like the state has the necessary transitions.
2024-04-01 15:07:02,344 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@4575c53f id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@66a1941c expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@5af3c5cf on = success, to =
createTicketGrantingTicket], [Transition@44f05cc4 on = error, to =
viewLoginForm], [Transition@65ee10f9 on = warn, to = warn],
[Transition@ed96d46 on = authenticationFailure, to = viewLoginForm],
[Transition@4ac01cef on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@c907f0f on = deny, to =
mfaDenied], [Transition@196ccfbc on = unavailable, to = mfaUnavailable],
[Transition@5c9a328a on = mfa-duo, to = mfa-duo]], exitActionList =
list[[EvaluateAction@16f76a92 expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@19101744 on = success, to = spnego]]>
In any case, any help that can be given would be greatly appreciated,
since this is blocking an upgrade for us until I figure it out.
Thanks in advance,
Matt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/654fe46f-01e7-40dd-a9a6-783226cf7f9d%40melson.fastmail.net.
