MFA DUO for 6.6.7 errors

81 views
Skip to first unread message

Andrey Nikolaev

unread,
May 24, 2023, 7:07:40 AM5/24/23
to CAS Community
Hi all
I used MFA DUO version 6.5.5 with universal and traditional prompt.
When using the new version 6.6.7 and 6.6.8-SNAPSHOT I get an error:

2023-05-22 08:40:35,991 DEBUG [org.apereo.cas.authentication.DefaultRequestedAuthenticationContextValidator] - <Multifactor providers eligible for validation are [[AbstractMultifactorAuthenticationProvider(bypassEvaluator=org.apereo.cas.authentication.bypass.DefaultChainingMultifactorAuthenticationBypassProvider@7a106341, failureModeEvaluator=org.apereo.cas.authentication.DefaultMultifactorAuthenticationFailureModeEvaluator@681672fd, failureMode=CLOSED, id=mfa-duo, order=0)]]>
2023-05-22 08:40:35,995 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <Cannot invoke "String.equals(Object)" because the return value of "org.apereo.cas.authentication.MultifactorAuthenticationProvider.getId()" is null>
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.apereo.cas.authentication.MultifactorAuthenticationProvider.getId()" is null
        at org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator.lambda$locateRequestedProvider$0(DefaultMultifactorAuthenticationContextValidator.java:42) ~[cas-server-core-authentication-mfa-api-6.6.7.jar:6.6.7]
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178) ~[?:?]
        at java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1856) ~[?:?]
        at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129) ~[?:?]
        at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
        at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647) ~[?:?]
        at org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator.locateRequestedProvider(DefaultMultifactorAuthenticationContextValidator.java:42) ~[cas-server-core-authentication-mfa-api-6.6.7.jar:6.6.7]
        at org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator.validate(DefaultMultifactorAuthenticationContextValidator.java:66) ~[cas-server-core-authentication-mfa-api-6.6.7.jar:6.6.7]

Andrey Nikolaev

unread,
May 29, 2023, 7:18:08 AM5/29/23
to CAS Community
I can’t understand the reason why Duo doesn’t work for me in the 6.6 branch, more precisely, when I return to the application, an error occurs
Caused by: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.apereo.cas.authentication.MultifactorAuthenticationProvider.getId()" is null
        at org.apereo.cas.authentication.DefaultMultifactorAuthenticationContextValidator.lambda$locateRequestedProvider$0(DefaultMultifactorAuthenticationContextValidator.java:42) ~[cas-server-core-authentication-mfa-api-6.6.8.jar:6.6.8]

        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178) ~[?:?]
        at java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1856) ~[?:?]
        at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129) ~[?:?]
        at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527) ~[?:?]

Configuration standart
#cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
cas.authn.mfa.duo[0].duoSecretKey=wUSSJXxbaHyEV1OgTJ1zuTrMJLRdcniPeISPl
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].duoApplicationKey=
cas.authn.mfa.duo[0].duoIntegrationKey=DIWQ5H7JY7XXZDUE6FN3
cas.authn.mfa.duo[0].duoApiHost=api-d3751880.duosecurity.com
cas.authn.mfa.duo[0].trustedDeviceEnabled=false
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo

and in branch 6.5 everything works fine

Ray Bon

unread,
May 29, 2023, 12:27:45 PM5/29/23
to cas-...@apereo.org
Andrey,

For universal prompt, duo-application-key should be commented out (for traditional, it should have a value).

Ray

On Mon, 2023-05-29 at 03:42 -0700, Andrey Nikolaev wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Andrey Nikolaev

unread,
May 29, 2023, 2:31:32 PM5/29/23
to CAS Community, Ray Bon
Hi Ray Bon

This error crashes on both universal and traditional types.
I know that this key value should not be defined.
I repeat that when using the 6.5 branch, all versions 6.5.5 - 6.5.9 with this account everything works successfully.

And one more note, the authorization itself in Duo is successful, the prompt for the MFA appears and passes authentication, which is reflected in the admin panel.
When returning to the application, a URL is generated in which the service parameter is missing, like this:

already tried all the options

Thank you

Andrey Nikolaev

unread,
May 31, 2023, 5:50:33 AM5/31/23
to CAS Community, Andrey Nikolaev
Hi All

I can not understand what's up here bypass

=============================================================

WHO: audit:unknown
WHAT: {result=Service Access Granted, service=https://guacamole-01:6443/xtam/, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,429 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================
WHO: audit:unknown
WHAT: {result=Service Access Granted, service=https://guacamole-01:6443/xtam/, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,439 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================
WHO: mfa
WHAT: {ticket=ST-2-********xCvZsnA-guacamole-01, service=https://guacamole-01:6443/xtam/}
ACTION: SERVICE_TICKET_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,440 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================
WHO: mfa
WHAT: {principal=mfa, service=https://guacamole-01:6443/xtam/, renew=false, gateway=false}
ACTION: PROTOCOL_SPECIFICATION_VALIDATE_SUCCESS
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,591 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================
WHO: mfa
WHAT: {principal=mfa, execution=true, provider=mfa-duo}
ACTION: MULTIFACTOR_AUTHENTICATION_BYPASS
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,592 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================
WHO: mfa
WHAT: {principal=mfa, execution=true, provider=mfa-duo}
ACTION: MULTIFACTOR_AUTHENTICATION_BYPASS
APPLICATION: CAS
WHEN: Wed May 31 08:52:48 UTC 2023
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.1.1
=============================================================

2023-05-31 08:52:48,602 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <Cannot invoke "String.equals(Object)" because the return value of "org.apereo.cas.authentication.MultifactorAuthenticationProvider.getId()" is null

        DefaultMultifactorAuthenticationContextValidator.java:lambda$locateRequestedProvider$0:42
        ReferencePipeline.java:accept:178
        Spliterators.java:tryAdvance:1856
>

Reply all
Reply to author
Forward
0 new messages