Error since CAS 6.3

[Gregory G]

Hello, 

I currently dev for migrate from 6.2.5 to 6.3.1

And i have an error when i try to access a service with 2FA enabled but bypassed by reverse proxy

No specific flows are defined, only bypass

#Google Auth Bypass

cas.authn.mfa.gauth.bypass.http-request-headers=remote_user

cas.authn.mfa.gauth.bypass.principal-attribute-name=cas2faEnabled

cas.authn.mfa.gauth.bypass.principal-attribute-value=FALSE

So if a user (aka test1, with 2FA enabled in LDAP) connect to a service ( test.lab.local) : all it's ok

my second user (aka test2, without 2FA enabled) all is ok

and my first user came with his PKI, and nginx reverse proxy set remote_user header  to cas has this error :

org.springframework.webflow.engine.NoMatchingTransitionException: No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'remoteAuthenticate' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array<String>['generateServiceTicket']', while the supported set of transitional criteria for this action state is 'array<TransitionCriteria>[success, error, authenticationFailure, mfa-gauth]'

but he can access to cas.lab.local without error.

we see the MFA is bypassed in attributes.

The service i try to reach is very simple :

{

"@class" : "org.apereo.cas.services.RegexRegisteredService",

"serviceId" : "^(https|http)://localhost.*",

"name" : "localhost",

"id" : 2,

"description" : "Allows only localhost services",

"evaluationOrder" : 0

}

PS : this scenario is production scenario in place since CAS 5.2

Thanks for your help

[Livy Li]

Gregory,

I'm seeing the same error message now on CAS 6.3.  Did your issue get resolved? 

Thanks for your help.