CAS 6.4.0-RC6: Issue with MFA bypass preventing SSO session across services

[Purush Yeluripati]

Hello,

    We think we might have found an issue we can reproduce where enabling MFA bypass  (not just MFA but bypass) is preventing SSO session to be shared across services. This issue can be reproduced with both 6.4.0-RC5 and 6.4.0-RC6 (and maybe other versions as well).

Here is our scenario, we have 2 services configured with CAS.

Service A (RegexRegisteredService): Uses Username, Password and MFA (GoogleAuth) 

Service B (SamlRegisteredService): uses SAML2 with CAS as the IdP

The MFA can be optionally bypassed by examining an attribute of the principal.

If we first sign into Service A successfully using Username, Password, and MFA Token and then attempt to navigate to the URL for Service B this works well (as expected). 

However, if we attempt to specify bypass rules for bypassing MFA based on a principal attribute (either using cas.properties or groovy script), when we access Service B after successfully authenticating with Service A, CAS forces a re-authentication of the user for Service B. This seems to work fine as long as we do not enable MFA bypass (plain MFA works). 

We have asked in the CAS Community and have not heard back from anyone having the same issue. Does bypass require special configuration? We dont want to report an issue if this is due to a misconfiguration/mistake at our end. We'd be happy to help with researching a solution for this but are not clear about where to start looking and what the flows are. Any help would be appreciated.

Regards,

Purush