SPNEGO and MFA Issues
24 views
Skip to first unread message
Matt Elson
Mar 5, 2020, 7:54:57 AM3/5/20
to cas-...@apereo.org
Hey all,
We're having issues if we try and use SPENGO w/ MFA (duo in particular
in our example, haven't tested the others yet, but plan to).
Namely if MFA is triggered on the first service SPNEGO auths to, CAS
throws the following errors:
2020-03-04 18:07:56,981 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <class org.apereo.cas.authentication.AuthenticationException:
Transition definition cannot be found for event mfa-duo>
2020-03-04 18:07:56,981 DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <Transition definition cannot be found for event mfa-duo>
And then throws a stack trace and fails authentication. MFA works fine
w/ LDAP authentication, and if the initial service SPNEGO auths to is
*not eligible for MFA*, SPNEGO works fine (and subsequent services will
trigger MFA w/o a problem).
I see an old post
(https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/CtKiXHXBMxU)
that sounds identical to my issue and it looks like a bug was opened
regarding it, but I can't find any further follow up.
Any thoughts? My guess is it is related to SPNEGO webflow (as previous
post notes it seems to go straight to SEND_TICKET_GRANTING_TICKET on
success) given the behavior.
Thanks in advance for any help!
Matt Elson
We're having issues if we try and use SPENGO w/ MFA (duo in particular
in our example, haven't tested the others yet, but plan to).
Namely if MFA is triggered on the first service SPNEGO auths to, CAS
throws the following errors:
2020-03-04 18:07:56,981 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <class org.apereo.cas.authentication.AuthenticationException:
Transition definition cannot be found for event mfa-duo>
2020-03-04 18:07:56,981 DEBUG
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <Transition definition cannot be found for event mfa-duo>
And then throws a stack trace and fails authentication. MFA works fine
w/ LDAP authentication, and if the initial service SPNEGO auths to is
*not eligible for MFA*, SPNEGO works fine (and subsequent services will
trigger MFA w/o a problem).
I see an old post
(https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/CtKiXHXBMxU)
that sounds identical to my issue and it looks like a bug was opened
regarding it, but I can't find any further follow up.
Any thoughts? My guess is it is related to SPNEGO webflow (as previous
post notes it seems to go straight to SEND_TICKET_GRANTING_TICKET on
success) given the behavior.
Thanks in advance for any help!
Matt Elson
Matt Elson
Mar 5, 2020, 8:35:50 AM3/5/20
to cas-...@apereo.org
Oops, forgot to mention the CAS version I'm running: 6.1.5.
(Haven't gotten around to seeing if the behavior persists in the 6.2.0
release candidates, planning to sometime this week.)
Matt
(Haven't gotten around to seeing if the behavior persists in the 6.2.0
release candidates, planning to sometime this week.)
Matt
Reply all
Reply to author
Forward
0 new messages