CAS 6.3.0-RC3 issue with MFA selector menu
186 views
Skip to first unread message
Philippe MARASSE
Oct 6, 2020, 11:52:04 AM10/6/20
to CAS Community
Folks,
I'm testing the possibility to let the user choose MFA token to use, in
fact between u2f and google authenticator.
I have a PHP test page used tho retrieve and show me some attributes. At
the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot
get validated by CAS :
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be
satisfied. The request is either unrecognized or
unfulfilled.</cas:authenticationFailure>
</cas:serviceResponse>
In cas_audit, I have :
2020-10-06 17:28:50,359 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: xxx
WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for
http://php2/portail/cas61.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
2020-10-06 17:28:50,424 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx,
attributes={...}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
2020-10-06 17:28:50,427 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: xxx
WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for
http://php2/portail/cas61.php
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose
the 2FA but it works...
Any clue ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures
Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO)
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
I'm testing the possibility to let the user choose MFA token to use, in
fact between u2f and google authenticator.
I have a PHP test page used tho retrieve and show me some attributes. At
the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot
get validated by CAS :
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
['ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest'] cannot be
satisfied. The request is either unrecognized or
unfulfilled.</cas:authenticationFailure>
</cas:serviceResponse>
In cas_audit, I have :
2020-10-06 17:28:50,359 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: xxx
WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for
http://php2/portail/cas61.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
2020-10-06 17:28:50,424 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx,
attributes={...}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
2020-10-06 17:28:50,427 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: xxx
WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for
http://php2/portail/cas61.php
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Tue Oct 06 17:28:50 CEST 2020
CLIENT IP ADDRESS:
SERVER IP ADDRESS:
=============================================================
If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose
the 2FA but it works...
Any clue ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures
Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO)
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Philippe MARASSE
Oct 9, 2020, 8:27:03 AM10/9/20
to cas-...@apereo.org
Interestingly, I think there's a flaw in the webflow. Let's use 2
services, and only the second requires MFA.
Without MFA selector :
- Call first service, redirect to cas
- Authentication with only login/password ok, redirect to service one.
- Service one validate service ticket OK
- Call to second service, redirect to cas
- CAS shows MFA screen (U2F in my case), Authentication OK, redirect
to service two
- Service two validate service ticket OK
Everything runs fine.
With MFA Selector enabled :
- Call first service, redirect to cas
- Authentication with only login/password ok, redirect to service one.
- Service one validate service ticket OK
- Call to second service, redirect to cas
- Login screen shows login form ?? An exception has been raised (see
below)
- Authentication can be redone with login/password, no MFA asked,
redirected to service
- Service two validates service ticket... fails with
<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
['ST-5-R2L9TIWs19jdW5DwR-jlcndnNvE-castest'] cannot be
=============================================================
WHO: audit:unknown
WHAT: Transition definition cannot be found for event mfa-composite
ACTION: AUTHENTICATION_EVENT
APPLICATION: CAS
WHEN: Fri Oct 09 14:22:14 CEST 2020
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: y.y.y.y
=============================================================
>
2020-10-09 14:22:14,440 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <class org.apereo.cas.authentication.AuthenticationException:
Transition definition cannot be fo
2020-10-09 14:22:14,440 DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <Transition definition cannot be found for event mfa-composite>
org.apereo.cas.authentication.AuthenticationException: Transition
definition cannot be found for event mfa-composite
at
org.apereo.cas.authentication.MultifactorAuthenticationUtils.lambda$validateEventIdForMatchingTransitionInContext$1(MultifactorAuthenticationUtils.java:74)
~[cas-server-core-authentication-mfa-api-
at java.util.Optional.map(Optional.java:265) ~[?:?]
at
org.apereo.cas.authentication.MultifactorAuthenticationUtils.validateEventIdForMatchingTransitionInContext(MultifactorAuthenticationUtils.java:71)
~[cas-server-core-authentication-mfa-api-6.3.0-RC3
at
org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.lambda$resolveInternal$0(DefaultMultifactorAuthenticationProviderWebflowEventResolver.java:48)
at java.util.Optional.map(Optional.java:265) ~[?:?]
Regards.
services, and only the second requires MFA.
Without MFA selector :
- Call first service, redirect to cas
- Authentication with only login/password ok, redirect to service one.
- Service one validate service ticket OK
- Call to second service, redirect to cas
- CAS shows MFA screen (U2F in my case), Authentication OK, redirect
to service two
- Service two validate service ticket OK
Everything runs fine.
With MFA Selector enabled :
- Call first service, redirect to cas
- Authentication with only login/password ok, redirect to service one.
- Service one validate service ticket OK
- Call to second service, redirect to cas
- Login screen shows login form ?? An exception has been raised (see
below)
- Authentication can be redone with login/password, no MFA asked,
redirected to service
- Service two validates service ticket... fails with
<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
satisfied. The request is either unrecognized or
unfulfilled.</cas:authenticationFailure>
</cas:serviceResponse>
cas.log :
unfulfilled.</cas:authenticationFailure>
</cas:serviceResponse>
=============================================================
WHO: audit:unknown
WHAT: Transition definition cannot be found for event mfa-composite
ACTION: AUTHENTICATION_EVENT
APPLICATION: CAS
WHEN: Fri Oct 09 14:22:14 CEST 2020
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: y.y.y.y
=============================================================
>
2020-10-09 14:22:14,440 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <class org.apereo.cas.authentication.AuthenticationException:
Transition definition cannot be fo
2020-10-09 14:22:14,440 DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <Transition definition cannot be found for event mfa-composite>
org.apereo.cas.authentication.AuthenticationException: Transition
definition cannot be found for event mfa-composite
at
org.apereo.cas.authentication.MultifactorAuthenticationUtils.lambda$validateEventIdForMatchingTransitionInContext$1(MultifactorAuthenticationUtils.java:74)
~[cas-server-core-authentication-mfa-api-
at java.util.Optional.map(Optional.java:265) ~[?:?]
at
org.apereo.cas.authentication.MultifactorAuthenticationUtils.validateEventIdForMatchingTransitionInContext(MultifactorAuthenticationUtils.java:71)
~[cas-server-core-authentication-mfa-api-6.3.0-RC3
at
org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.lambda$resolveInternal$0(DefaultMultifactorAuthenticationProviderWebflowEventResolver.java:48)
at java.util.Optional.map(Optional.java:265) ~[?:?]
Regards.
Paris Polydorou
Dec 16, 2020, 2:17:37 PM12/16/20
to CAS Community, Philippe MARASSE
I have the same issues with CAS 6.2 and 6.3. Three individual MFA providers work fine when specified with cas.authn.mfa.globalProviderId.
When I try the selection menu by adding the line cas.authn.mfa.provider-selection-enabled=true, I successfully authenticate with any of the three MFA providers that I select from the menu but my website does not let me in. The logs (similar to Philippe's) indicate success and if I go to the CAS URL I see that I am successfully authenticated.
Could there be confusion on the part of CAS after the successful MFA authentication because of the three possible MFA providers and so it does not redirect back to the app website properly or pass the right information?
Question: Is this a known issue? Has anyone got the selection menu to work with CAS 6.x?
Thanks,
When I try the selection menu by adding the line cas.authn.mfa.provider-selection-enabled=true, I successfully authenticate with any of the three MFA providers that I select from the menu but my website does not let me in. The logs (similar to Philippe's) indicate success and if I go to the CAS URL I see that I am successfully authenticated.
Could there be confusion on the part of CAS after the successful MFA authentication because of the three possible MFA providers and so it does not redirect back to the app website properly or pass the right information?
Question: Is this a known issue? Has anyone got the selection menu to work with CAS 6.x?
Thanks,
Paris
Ray Bon
Dec 16, 2020, 3:14:54 PM12/16/20
to cas-...@apereo.org, philippe...@ch-poitiers.fr
Paris, Philippe,
I think all properties are now camel case, docs have not been updated.
provider-selection-enabled => providerSelectionEnabled
Ray
On Wed, 2020-12-16 at 11:17 -0800, Paris Polydorou wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Paris Polydorou
Dec 16, 2020, 4:19:27 PM12/16/20
to cas-...@apereo.org, philippe...@ch-poitiers.fr
Thank you Ray. I wasn't aware of the change.
Unfortunately there is no improvement after I updated the property name: My password is accepted, I select one of the MFA providers from the selection menu, my MFA response is also successful but the communication of this success by CAS to the app website has a problem.
Best,
Paris
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/68VUgirrfo0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d0e999a5b908c1fdae0b22dbee3ad19cc9fe757.camel%40uvic.ca.
Paris Polydorou
Dec 18, 2020, 1:05:24 PM12/18/20
to CAS Community
Looking at my debug logs and comparing the cases of the single MFA provider and of the MFA selection menu I found that the service information is lost after a successful password authentication. E.g. the POST command at the MFA token page only contains cas/login instead of
cas/login?service=... and there are also log entries of service=null instead of the service provider's URL.
I am very new to CAS but I believe that when using the MFA selection menu, after a successful authentication, the communication of the results to the service provider is invalid. This is the case for versions 6.2.6 and the latest 6.3 RC.
Ray Bon
Dec 18, 2020, 4:07:26 PM12/18/20
to cas-...@apereo.org
Paris,
The service looks to be held on the server side. So not showing in the url is probably not an issue.
In my test, I do get redirected to the service correctly and the service ticket is validated. I do get failed completion for what looks like a second check of the mfa process (that happens after ST validation).
Here are my last few log entries:
2020-12-18 12:23:00,331 TRACE [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating bean definition for [mfa-yubikey]> [ajp-nio-127.0.0.1-8010-exec-8]
2020-12-18 12:23:00,332 TRACE [ org.aper.cas.auth.MultifactorAuthenticationUtils] - <Locating bean definition for [mfa-duo]> [ajp-nio-127.0.0.1-8010-exec-8]
2020-12-18 12:23:00,332 DEBUG [h.mfa.trig.RegisteredServiceMultifactorAuthenticationTrigger] - <Selected multifactor authentication provider for this transaction is [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, failureMode=UNDEFINED, id=mfa-yubikey, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, failureMode=UNDEFINED, id=mfa-duo, order=0)],
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7)]> [ajp-nio-127.0.0.1-8010-exec-8]
2020-12-18 12:23:00,332 TRACE [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Attempting to match requested authentication context [mfa-composite] against [[mfa-yubikey]]> [ajp-nio-127.0.0.1-8010-exec-8]
2020-12-18 12:23:00,332 TRACE [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Available MFA providers are [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@f81b717,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, failureMode=UNDEFINED, id=mfa-simple, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7e478a4f,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, failureMode=UNDEFINED, id=mfa-yubikey, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@401740e0,
failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@1eb5f4b7, failureMode=UNDEFINED, id=mfa-duo, order=0)]]> [ajp-nio-127.0.0.1-8010-exec-8]
2020-12-18 12:23:00,333 DEBUG [er.cas.auth.DefaultMultifactorAuthenticationContextValidator] - <Requested authentication provider cannot be recognized.> [ajp-nio-127.0.0.1-8010-exec-8]
It will take looking at the code to see why '... provider cannot be recognized'. I suspect something is amiss, maybe the check expects a single value but a list is presented (the 'Selected multifactor authentication provider ...' log line).
Do you get redirected to your service after mfa?
Ray
P.S. here are my loggers:
<AsyncLogger name="org.apereo.cas.authentication" level="trace" />
<AsyncLogger name="org.apereo.cas.authentication.PolicyBasedAuthenticationManager" level="trace" />
<AsyncLogger name="org.apereo.cas.mfa" level="trace" />
Linos Giannopoulos
Apr 29, 2021, 11:25:50 AM4/29/21
to CAS Community, Ray Bon
Hey!
I am having the same issue as described above, but I never get redirected back to the service.
To
summarize what we're witnessing: Two MFA providers are enabled globally
(also tried the per-application basis method, with the same results).
Both providers work just fine when used on their own.
If
both of them are enabled, along with the selection provider menu, the
SAML flow breaks. From what I could gather from the logs (and my gut
feeling) is that the provider
that the user did not select is not satisfied, hence we get the issue of `INVALID_AUTHENTICATION_CONTEXT` in the end.
We are using CAS 6.3.3, and all the relevant configs that I can think of follow below:
```
cas.authn.mfa.provider-selection-enabled=true
cas.authn.mfa.globalProviderId=mfa-webauthn,mfa-gauth
cas.authn.mfa.globalProviderId=mfa-webauthn,mfa-gauth
```
The exception we get is the following:
```
2021-04-29
18:09:30,624 DEBUG
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
- <Attempting to globally activate [mfa-webauthn,mfa-gauth]>
2021-04-29 18:09:30,625 DEBUG [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] - <Selected multifactor authentication provider for this transaction is [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-webauthn, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-gauth, order=0)], failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8)]>
2021-04-29 18:09:30,626 TRACE [org.apereo.cas.util.CollectionUtils] - <Converting multi-valued element [[mfa-webauthn]]>
2021-04-29 18:09:30,626 TRACE [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Attempting to match requested authentication context [mfa-composite] against [[mfa-webauthn]]>
2021-04-29 18:09:30,627 TRACE [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Available MFA providers are [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-webauthn, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-gauth, order=0)]]>
2021-04-29 18:09:30,628 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Requested authentication provider cannot be recognized.>
2021-04-29 18:09:30,643 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [classpath:custom_messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,645 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,646 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [classpath:messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,649 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,649 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [file:/etc/cas/config/custom_messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,650 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,650 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <The code [INVALID_AUTHENTICATION_CONTEXT] cannot be found in the language bundle for the locale [en_US]>
2021-04-29 18:09:30,749 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.] due to a type mismatch with handler [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, HttpServletRequest)]>
2021-04-29 18:09:30,749 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.] due to a type mismatch with handler [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, HttpServletRequest)]>
2021-04-29 18:09:30,751 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/idp/profile/SAML2/Callback] due to exception [The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.]>
org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:97) ~[cas-client-core-3.6.2.jar:3.6.2]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:199) ~[cas-client-core-3.6.2.jar:3.6.2]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlIdPProfileCallbackHandlerController.java:57) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:103) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$11f952f8.handleCallbackProfileRequest(<generated>) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) ~[tomcat9-servlet-api.jar:?]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat9-servlet-api.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat9-websocket-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:28) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:401) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:200) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:64) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:90) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:78) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:67) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) ~[spring-boot-actuator-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) ~[cas-server-core-logging-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) ~[inspektr-common-1.8.10.GA.jar:1.8.10.GA]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.14.0.jar:2.14.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat9-util-9.0.39.jar:9.0.39]
at java.lang.Thread.run(Thread.java:834) [?:?]
2021-04-29 18:09:30,625 DEBUG [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] - <Selected multifactor authentication provider for this transaction is [DefaultChainingMultifactorAuthenticationProvider(multifactorAuthenticationProviders=[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-webauthn, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-gauth, order=0)], failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8)]>
2021-04-29 18:09:30,626 TRACE [org.apereo.cas.util.CollectionUtils] - <Converting multi-valued element [[mfa-webauthn]]>
2021-04-29 18:09:30,626 TRACE [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Attempting to match requested authentication context [mfa-composite] against [[mfa-webauthn]]>
2021-04-29 18:09:30,627 TRACE [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Available MFA providers are [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@324be3b6, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-webauthn, order=0), AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@11084050, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@747ac7a8, failureMode=UNDEFINED, id=mfa-gauth, order=0)]]>
2021-04-29 18:09:30,628 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator] - <Requested authentication provider cannot be recognized.>
2021-04-29 18:09:30,643 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [classpath:custom_messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,645 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,646 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [classpath:messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,649 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,649 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Examining language bundle [file:/etc/cas/config/custom_messages_en_US] for the code [INVALID_AUTHENTICATION_CONTEXT]>
2021-04-29 18:09:30,650 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_en_US] - neither plain properties nor XML>
2021-04-29 18:09:30,650 TRACE [org.apereo.cas.web.view.CasReloadableMessageBundle] - <The code [INVALID_AUTHENTICATION_CONTEXT] cannot be found in the language bundle for the locale [en_US]>
2021-04-29 18:09:30,749 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.] due to a type mismatch with handler [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, HttpServletRequest)]>
2021-04-29 18:09:30,749 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.] due to a type mismatch with handler [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController#handleCallbackProfileRequest(HttpServletResponse, HttpServletRequest)]>
2021-04-29 18:09:30,751 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/idp/profile/SAML2/Callback] due to exception [The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.]>
org.jasig.cas.client.validation.TicketValidationException: The validation request for ['ST-1-Xw8n2BQAqLXlxVYs-WDSzmk6bDk-cas-stg'] cannot be satisfied. The request is either unrecognized or unfulfilled.
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:97) ~[cas-client-core-3.6.2.jar:3.6.2]
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:199) ~[cas-client-core-3.6.2.jar:3.6.2]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlIdPProfileCallbackHandlerController.java:57) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:103) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691) ~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$11f952f8.handleCallbackProfileRequest(<generated>) ~[cas-server-support-saml-idp-web-6.3.3.jar:6.3.3]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626) ~[tomcat9-servlet-api.jar:?]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) ~[tomcat9-servlet-api.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat9-websocket-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.AuthenticationCredentialsThreadLocalBinderClearingFilter.doFilter(AuthenticationCredentialsThreadLocalBinderClearingFilter.java:28) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:401) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:200) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:64) ~[cas-server-core-web-api-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:90) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:78) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:67) ~[spring-security-web-5.4.2.jar:5.4.2]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93) ~[spring-boot-actuator-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) ~[cas-server-core-logging-6.3.3.jar:6.3.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) ~[inspektr-common-1.8.10.GA.jar:1.8.10.GA]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.3.7.RELEASE.jar:2.3.7.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.14.0.jar:2.14.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat9-catalina-9.0.39.jar:9.0.39]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat9-coyote-9.0.39.jar:9.0.39]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat9-util-9.0.39.jar:9.0.39]
at java.lang.Thread.run(Thread.java:834) [?:?]
```
Kind regards,
Linos
Thierry Perpère
May 29, 2021, 8:33:24 PM5/29/21
to CAS Community, Linos Giannopoulos, Ray Bon
Hi,
In fact it's because the ticket validation request from the service has the context "mfa-composite" (multiple MFA), whereas the ticket has the context "mfa-webauthn"
from the logs: Attempting to match requested authentication context [mfa-composite] against [[mfa-webauthn]]
I've tried to pull request a patch fot this: https://github.com/apereo/cas/pull/5152
This patch is working for me in version 6.2.8
Regards,
Thierry
Reply all
Reply to author
Forward
0 new messages