2018-06-21 10:49:38,226 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=<REMOVED>, attributes={<REMOVED>}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Jun 21 10:49:38 CDT 2018
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
>
2018-06-21 10:49:38,229 DEBUG [org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - <Using global multi-factor failure mode for [AbstractRegisteredService(serviceId<REMOVED>, name=ssomanager, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=3, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=2, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null)), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] defined as [OPEN]>
2018-06-21 10:49:38,230 DEBUG [org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - <Evaluating multifactor authentication policy for service [AbstractRegisteredService(serviceId=<REMOVED>, name=ssomanager, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=3, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=2, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null)), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])}>
2018-06-21 10:49:38,231 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=mfa-gauth,timestamp=Thu Jun 21 10:49:38 CDT 2018,source=RegisteredServiceMultifactorAuthenticationPolicyEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Thu Jun 21 10:49:38 CDT 2018
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
>
2018-06-21 10:49:38,232 DEBUG [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - <Evaluating multifactor authentication bypass properties for principal [<REMOVED>], service [AbstractRegisteredService(serviceId=<REMOVED>, name=ssomanager, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=3, description=null, expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=2, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null)), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=null, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] and provider [AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass@7ecbf96e, globalFailureMode=OPEN, id=mfa-gauth, order=0)] via Groovy script [URL [file:/usr/tomcat/mfaGroovyTrigger.groovy]]>
2018-06-21 10:49:38,316 INFO [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - <Evaluating principal attributes [<REMOVED>]>
2018-06-21 10:49:38,316 INFO [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - <User has no MFA registration, bypass>
2018-06-21 10:49:38,317 DEBUG [org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - <Request cannot be supported by provider [mfa-gauth] as it's configured for bypass>
<snip, includes authentication event triggered and service access enforcement triggered all the way through attribute resolution and service ticket validation, can add if requested>
2018-06-21 10:49:38,419 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [CasServiceTicketValidatedEvent(assertion=ImmutableAssertion(primaryAuthentication=org.apereo.cas.authentication.DefaultAuthentication@601a1344, chainedAuthentications=[org.apereo.cas.authentication.DefaultAuthentication@601a1344], fromNewLogin=false, service=AbstractWebApplicationService(id=<REMOVED>, originalUrl=<REMOVED>, artifactId=null, principal=<REMOVED>, source=service, loggedOutAlready=false, format=XML, attributes={})), serviceTicket=ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>)]>
2018-06-21 10:49:38,419 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count [1] is greater than or equal to [1]. Ticket has expired>
2018-06-21 10:49:38,425 DEBUG [org.apereo.cas.ticket.DefaultTicketCatalog] - <Locating ticket definition for ticket [ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>]>
2018-06-21 10:49:38,427 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: <REMOVED>
WHAT: ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Thu Jun 21 10:49:38 CDT 2018
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
>
2018-06-21 10:49:38,427 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-06-21 10:49:38,428 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Is validation specification set to enforce [renew] protocol behavior? [no]. Is assertion issued from a new login? [no]>
2018-06-21 10:49:38,428 DEBUG [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - <Number of chained authentications in the assertion [1]>
2018-06-21 10:49:38,429 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Validation specification is satisfied by the produced assertion>
2018-06-21 10:49:38,429 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [AbstractWebApplicationService(id=<REMOVED>, originalUrl=<REMOVED>, artifactId=null, principal=<REMOVED>, source=service, loggedOutAlready=false, format=XML, attributes={})]>
2018-06-21 10:49:38,432 DEBUG [org.apereo.cas.util.CollectionUtils] - <Converting null obj to empty collection>
2018-06-21 10:49:38,432 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Attempting to match requested authentication context [mfa-gauth] against [[]]>
2018-06-21 10:49:38,433 DEBUG [org.apereo.cas.util.CollectionUtils] - <Converting null obj to empty collection>
2018-06-21 10:49:38,433 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <No authentication context could be determined based on authentication attribute [authnContextClass]>
2018-06-21 10:49:38,433 WARN [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.>
2018-06-21 10:49:38,436 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request Body: [<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" RequestID="_00cd501c336a70e6fb627e7aec7a1475" IssueInstant="2018-06-21T15:49:38Z"><samlp:AssertionArtifact>ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED></samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>] "Extracted ArtifactId: [ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>]. Extracted Request Id: [_00cd501c336a70e6fb627e7aec7a1475]>
2018-06-21 10:49:38,437 DEBUG [org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView] - <Using [<REMOVED>] as the recipient of the SAML response for [AbstractWebApplicationService(id=<REMOVED>, originalUrl=<REMOVED>, artifactId=ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>, principal=null, source=TARGET, loggedOutAlready=false, format=XML, attributes={})]>
2018-06-21 10:49:38,437 DEBUG [org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView] - <Created SAML response for service [<REMOVED>]>
2018-06-21 10:49:38,438 DEBUG [org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView] - <Starting to encode SAML response for service [<REMOVED>]>
2018-06-21 10:49:38,438 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>
2018-06-21 10:49:38,441 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml1.core.impl.ResponseImpl]
<?xml version="1.0" encoding="UTF-8"?><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_00cd501c336a70e6fb627e7aec7a1475" IssueInstant="2018-06-21T15:49:33.437Z" MajorVersion="1" MinorVersion="1" ResponseID="_cd9263aae63971ab3fc3987ec1fb90a5">
<saml1p:Status>
<saml1p:StatusCode Value="saml1p:RequestDenied"/>
<saml1p:StatusMessage>The validation request for ['ST-2-oFgH0sXrkimWxBBXDn9-0XP6QFw<REMOVED>'] cannot be satisfied. The request is either unrecognized or unfulfilled.</saml1p:StatusMessage>
</saml1p:Status>
</saml1p:Response>
>
2018-06-21 10:49:38,442 DEBUG [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************>