I'm having a heck of a time setting up trustedDevice authentication
(outlined here:
https://apereo.github.io/cas/5.1.x/installation/Multifactor-TrustedDevice-Authentication.html)
under a fresh 5.1.2 install and I'm not sure if I'm misunderstanding the
feature altogether or simply configuring it incorrectly.
I set up the appropriate entry in the maven overlay to bring it in
(cas-server-support-trusted-mfa as artifactID), set up the
cas.properties entries and its definitely being loaded. After an mfa
authentication (I'm using mfa-gauth), I get prompted to register the
device, but the minute I do so I get an error&stacktrace - I see the
audit log register the name I gave it and other assorted info, but
immediately afterwards it throws an exception:
"org.springframework.webflow.execution.FlowExecutionException: Exception
thrown in state 'registerTrustedDevice' of flow 'login'"
Following that down the underlying cause seems to be the following:
2017-07-21 10:32:58,064 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with
path [/cas] threw exception [Request processing failed; nested exception
is org.springframework.webflow.execution.FlowExecutionException:
Exception thrown in state 'registerTrustedDevice' of flow 'login'] with
root cause>
java.lang.IllegalArgumentException: Cannot find state with id 'success'
in flow 'login' -- Known state ids are
'array<String>['initialAuthenticationRequestValidationCheck',
'ticketGrantingTicketCheck', 'initializeLoginForm', 'viewLoginForm',
'realSubmit', 'showAuthenticationWarningMessages',
'sendTicketGrantingTicket', 'generateServiceTicket',
'viewRedirectToUnauthorizedUrlView', 'viewServiceErrorView',
'redirectView', 'postView', 'viewGenericLoginSuccess',
'showWarningView', 'finalizeWarning', 'serviceUnauthorizedCheck',
'serviceCheck', 'warn', 'gatewayRequestCheck', 'hasServiceCheck',
'renewRequestCheck', 'terminateSession',
'gatewayServicesManagementCheck', 'serviceAuthorizationCheck',
'redirect', 'handleAuthenticationFailure', 'verifyTrustedDevice',
'checkRegistrationRequired', 'registerDeviceView',
'registerTrustedDevice', 'finishMfaTrustedAuth', 'mfa-gauth',
'casAuthenticationBlockedView', 'casBadWorkstationView',
'casBadHoursView', 'casAccountLockedView', 'casAccountDisabledView',
'casPasswordUpdateSuccessView', 'casExpiredPassView',
'casMustChangePassView']'
I'm using Java 1.8 on Centos7 and have tried deploying to Tomcat 8.5.16
as a war and using the embedded tomcat and getting the same behavior in
both instances. Haven't tried other containers or tweaking much else at
this point.
Any ideas?
Matt