Triggering multiple MFA providers globally breaks SSO
112 views
Skip to first unread message
Linos Giannopoulos
May 10, 2021, 9:43:50 AM5/10/21
to cas-...@apereo.org
Hey,
We've been trying to enable multiple MFA providers (gauth and webauthn)
globally and everything seems to be working properly, since 6.3.4 was
released.
The only hiccup we ran into is the following behaviour:
The user logs in with their LDAP credentials, and the MFA provider of
their choice. A TGT is created
and their session works properly with CAS (if they browse directly to
CAS itself).
When they are redirect to CAS from a service, they are asked to insert
their LDAP credentials once again
(the MFA part is not repeated after LDAP auth), then they are redirected
back to the service.
The TGT is read/decode properly (since the MFA is skipped afterwards),
but there seems to be some kind of
issue while resolving principal attribute:
```
2021-05-10 16:24:16,360 DEBUG
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
- <Attempting to globally activate [mfa-webauthn,mfa-gauth]>
2021-05-10 16:24:16,361 DEBUG
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
- <Selected multifactor authentication provider for this transaction is
[DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@22bb529c,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881,
failureMode=UNDEFINED, id=mfa-webauthn, order=0),
AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@5199d666,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881,
failureMode=UNDEFINED, id=mfa-gauth, order=0)],
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881)]>
2021-05-10 16:24:16,361 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Attempting to find a matching transition for event id [mfa-composite]>
2021-05-10 16:24:16,362 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@5873d41e id =
'initialAuthenticationRequestValidationCheck', flow = 'login',
entryActionList = list[[EvaluateAction@26cd53a4 expression =
verifyRequiredServiceAction, resultExpression = [null]]],
exceptionHandlerSet = list[[empty]], actionList =
list[[EvaluateAction@4d149168 expression =
initialAuthenticationRequestValidationAction, resultExpression =
[null]]], transitions = list[[Transition@12b0f500 on =
authenticationFailure, to = handleAuthenticationFailure],
[Transition@5425006c on = error, to = initializeLoginForm],
[Transition@18b9293f on = success, to = ticketGrantingTicketCheck],
[Transition@714f7491 on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@64c2874d on = mfa-gauth,
to = mfa-gauth], [Transition@1898cdd9 on = mfa-webauthn, to =
mfa-webauthn]], exitActionList = list[[empty]]]], event [null] and
transition [null]>
2021-05-10 16:24:16,363 TRACE
[org.apereo.cas.audit.spi.principal.ThreadLocalAuditPrincipalResolver] -
<Resolving principal at audit point [execution(Event
org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.resolveSingle(RequestContext))]
with thrown exception [java.lang.NullPointerException]>
2021-05-10 16:24:16,366 TRACE
[org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] -
<Recording audit action context
[org.apereo.inspektr.audit.AuditActionContext@4939ef24]>
2021-05-10 16:24:16,367 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: java.lang.NullPointerException
ACTION: AUTHENTICATION_EVENT
APPLICATION: CAS
WHEN: Mon May 10 16:24:16 EEST 2021
CLIENT IP ADDRESS: 2a03:e40:42:100::1074
SERVER IP ADDRESS: 2a03:e40:2a:400:0:0:0:124
=============================================================
>
2021-05-10 16:24:16,371 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <null>
2021-05-10 16:24:16,372 TRACE
[org.apereo.cas.audit.spi.principal.ThreadLocalAuditPrincipalResolver] -
<Resolving principal at audit point [execution(Event
org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver.resolveSingle(RequestContext))]>
2021-05-10 16:24:16,373 TRACE
[org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] -
<Recording audit action context
[org.apereo.inspektr.audit.AuditActionContext@33d0fea7]>
2021-05-10 16:24:16,375 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=error,timestamp=Mon May 10 16:24:16 EEST
2021,source=DefaultCasDelegatingWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 10 16:24:16 EEST 2021
CLIENT IP ADDRESS: 2a03:e40:42:100::1074
SERVER IP ADDRESS: 2a03:e40:2a:400:0:0:0:124
=============================================================
```
Our version is `6.3.4` and every configuration that seems relevant is
shown below:
```
# Authentication
cas.authn.ldap[0].ldap-url=[...]
cas.authn.ldap[0].baseDn=[...]
cas.authn.ldap[0].principalAttributeList=cn,uid
cas.authn.ldap[0].principalAttributeId=uid
# Disable IP and User-Agent pinning for the session cookie
cas.tgc.pin-to-session=false
cas.ticket.tgt.rememberMe.enabled=true
# 3 days
cas.ticket.tgt.rememberMe.timeToKillInSeconds=259200
cas.ticket.tgt.maxTimeToLiveInSeconds=259200
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=259200
# 12 hours
cas.ticket.tgt.timeToKillInSeconds=43200
cas.authn.mfa.provider-selection-enabled=true
cas.authn.mfa.globalProviderId=mfa-webauthn,mfa-gauth
cas.authn.mfa.web-authn.mongo.clientUri=${mongo.uri}
cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
```
The following components are enabled:
```
compile
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-mongo-ticket-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-gauth-mongo:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-throttle-mongo:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-oidc:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-webauthn-mongo:${project.'cas.version'}"
```
Any pointers as to what might be the issue here? Is it a configuration
error or a bug in CAS itself?
Note that, this issue only manifests when both MFA providers are enabled
at the same time, if one of
them is enabled, the issue goes away. I've also tried to enable it on a
per-application manner, but then
provider selection menu never pops up.
Thanks in advance,
Linos
We've been trying to enable multiple MFA providers (gauth and webauthn)
globally and everything seems to be working properly, since 6.3.4 was
released.
The only hiccup we ran into is the following behaviour:
The user logs in with their LDAP credentials, and the MFA provider of
their choice. A TGT is created
and their session works properly with CAS (if they browse directly to
CAS itself).
When they are redirect to CAS from a service, they are asked to insert
their LDAP credentials once again
(the MFA part is not repeated after LDAP auth), then they are redirected
back to the service.
The TGT is read/decode properly (since the MFA is skipped afterwards),
but there seems to be some kind of
issue while resolving principal attribute:
```
2021-05-10 16:24:16,360 DEBUG
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
- <Attempting to globally activate [mfa-webauthn,mfa-gauth]>
2021-05-10 16:24:16,361 DEBUG
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
- <Selected multifactor authentication provider for this transaction is
[DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@22bb529c,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881,
failureMode=UNDEFINED, id=mfa-webauthn, order=0),
AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@5199d666,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881,
failureMode=UNDEFINED, id=mfa-gauth, order=0)],
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@79ea7881)]>
2021-05-10 16:24:16,361 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Attempting to find a matching transition for event id [mfa-composite]>
2021-05-10 16:24:16,362 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@5873d41e id =
'initialAuthenticationRequestValidationCheck', flow = 'login',
entryActionList = list[[EvaluateAction@26cd53a4 expression =
verifyRequiredServiceAction, resultExpression = [null]]],
exceptionHandlerSet = list[[empty]], actionList =
list[[EvaluateAction@4d149168 expression =
initialAuthenticationRequestValidationAction, resultExpression =
[null]]], transitions = list[[Transition@12b0f500 on =
authenticationFailure, to = handleAuthenticationFailure],
[Transition@5425006c on = error, to = initializeLoginForm],
[Transition@18b9293f on = success, to = ticketGrantingTicketCheck],
[Transition@714f7491 on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@64c2874d on = mfa-gauth,
to = mfa-gauth], [Transition@1898cdd9 on = mfa-webauthn, to =
mfa-webauthn]], exitActionList = list[[empty]]]], event [null] and
transition [null]>
2021-05-10 16:24:16,363 TRACE
[org.apereo.cas.audit.spi.principal.ThreadLocalAuditPrincipalResolver] -
<Resolving principal at audit point [execution(Event
org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.resolveSingle(RequestContext))]
with thrown exception [java.lang.NullPointerException]>
2021-05-10 16:24:16,366 TRACE
[org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] -
<Recording audit action context
[org.apereo.inspektr.audit.AuditActionContext@4939ef24]>
2021-05-10 16:24:16,367 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: java.lang.NullPointerException
ACTION: AUTHENTICATION_EVENT
APPLICATION: CAS
WHEN: Mon May 10 16:24:16 EEST 2021
CLIENT IP ADDRESS: 2a03:e40:42:100::1074
SERVER IP ADDRESS: 2a03:e40:2a:400:0:0:0:124
=============================================================
>
2021-05-10 16:24:16,371 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <null>
2021-05-10 16:24:16,372 TRACE
[org.apereo.cas.audit.spi.principal.ThreadLocalAuditPrincipalResolver] -
<Resolving principal at audit point [execution(Event
org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver.resolveSingle(RequestContext))]>
2021-05-10 16:24:16,373 TRACE
[org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] -
<Recording audit action context
[org.apereo.inspektr.audit.AuditActionContext@33d0fea7]>
2021-05-10 16:24:16,375 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
<Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=error,timestamp=Mon May 10 16:24:16 EEST
2021,source=DefaultCasDelegatingWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon May 10 16:24:16 EEST 2021
CLIENT IP ADDRESS: 2a03:e40:42:100::1074
SERVER IP ADDRESS: 2a03:e40:2a:400:0:0:0:124
=============================================================
```
Our version is `6.3.4` and every configuration that seems relevant is
shown below:
```
# Authentication
cas.authn.ldap[0].ldap-url=[...]
cas.authn.ldap[0].baseDn=[...]
cas.authn.ldap[0].principalAttributeList=cn,uid
cas.authn.ldap[0].principalAttributeId=uid
# Disable IP and User-Agent pinning for the session cookie
cas.tgc.pin-to-session=false
cas.ticket.tgt.rememberMe.enabled=true
# 3 days
cas.ticket.tgt.rememberMe.timeToKillInSeconds=259200
cas.ticket.tgt.maxTimeToLiveInSeconds=259200
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=259200
# 12 hours
cas.ticket.tgt.timeToKillInSeconds=43200
cas.authn.mfa.provider-selection-enabled=true
cas.authn.mfa.globalProviderId=mfa-webauthn,mfa-gauth
cas.authn.mfa.web-authn.mongo.clientUri=${mongo.uri}
cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
```
The following components are enabled:
```
compile
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-mongo-ticket-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-gauth-mongo:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-throttle-mongo:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-oidc:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-webauthn-mongo:${project.'cas.version'}"
```
Any pointers as to what might be the issue here? Is it a configuration
error or a bug in CAS itself?
Note that, this issue only manifests when both MFA providers are enabled
at the same time, if one of
them is enabled, the issue goes away. I've also tried to enable it on a
per-application manner, but then
provider selection menu never pops up.
Thanks in advance,
Linos
Reply all
Reply to author
Forward
0 new messages