Issue with redirecting after interrupt
44 views
Skip to first unread message
Alex Kauchak
Apr 30, 2026, 11:50:43 AM (13 days ago) Apr 30
to CAS Community
Hello, I am experiencing issues redirecting back properly from a CAS interrupt after adding cas.interrupt.cookie.crypto signing and encryption keys. I've enabled CAS duo and interrupt logs, without any real success in getting more info out of them.
Here's the error I am seeing:
Here's the error I am seeing:
Invalid/Unknown Webflow Configuration
You are seeing this error because the authentication flow cannot locate or validate the sequence of requested events and transitions and does not know how to route the flow to the next step. Current flow identifier is login and the current state identifier is duoUniversalPromptPrepareValidate.
The error message is:
No transition was matched on the event(s) signaled by the [1] action(s) that executed in this action state 'duoUniversalPromptPrepareValidate' of flow 'login'; transitions must be defined to handle action result outcomes -- possible flow configuration error? Note: the eventIds signaled were: 'array<String>['restore']', while the supported set of transitional criteria for this action state is 'array<TransitionCriteria>[skip, error, mfa-duo, success]'Please examine the CAS server logs to find the root cause and additional details.
I am currently working with a config java file to try to apply changes that fix this, with no success. I have applied this file via including an import statement in it for src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports.
package org.apereo.cas.config;
import lombok.val;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.ActionState;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
@AutoConfiguration
@EnableConfigurationProperties(CasConfigurationProperties.class)
/* * Force this to run AFTER the Duo module so we don't get
* overwritten by the default Duo configuration.
*/
@AutoConfigureAfter(name = "org.apereo.cas.adaptors.duo.web.flow.config.DuoSecurityComponentSerializationConfiguration")
public class CasOverlayOverrideConfiguration {
static {
System.out.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
System.out.println("!!! JVM HAS LOADED CasOverlayOverrideConfiguration !!!");
System.out.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
@Bean
public CasWebflowConfigurer customDuoWebflowConfigurer(
ConfigurableApplicationContext applicationContext,
CasConfigurationProperties casProperties,
FlowDefinitionRegistry loginFlowDefinitionRegistry,
FlowBuilderServices flowBuilderServices) {
return new InnerDuoWebflowConfigurer(flowBuilderServices, loginFlowDefinitionRegistry,
applicationContext, casProperties);
}
@Bean
public CasWebflowExecutionPlanConfigurer customDuoWebflowExecutionPlanConfigurer(
CasWebflowConfigurer customDuoWebflowConfigurer) {
return plan -> plan.registerWebflowConfigurer(customDuoWebflowConfigurer);
}
@Order(Ordered.LOWEST_PRECEDENCE)
private static class InnerDuoWebflowConfigurer extends AbstractCasWebflowConfigurer {
public InnerDuoWebflowConfigurer(FlowBuilderServices flowBuilderServices,
FlowDefinitionRegistry loginFlowDefinitionRegistry,
ConfigurableApplicationContext applicationContext,
CasConfigurationProperties casProperties) {
super(flowBuilderServices, loginFlowDefinitionRegistry, applicationContext, casProperties);
}
@Override
protected void doInitialize() {
val stateId = "duoUniversalPromptPrepareValidate";
// 1. Check the Main Login Flow
val loginFlow = getLoginFlow();
if (loginFlow != null) {
if (containsFlowState(loginFlow, stateId)) {
System.out.println("!!! CAS 7.3: Found " + stateId + " in LOGIN flow. Injecting 'restore' transition.");
val state = (ActionState) loginFlow.getState(stateId);
createTransitionForState(state, "restore", "viewDuoUniversalPrompt");
} else {
System.out.println("--- CAS 7.3: State " + stateId + " NOT found in LOGIN flow.");
}
}
// 2. Check the MFA-DUO Flow (Usually where the state lives in 7.3)
val duoFlow = getFlow("mfa-duo");
if (duoFlow != null) {
if (containsFlowState(duoFlow, stateId)) {
System.out.println("!!! CAS 7.3: Found " + stateId + " in MFA-DUO flow. Injecting 'restore' transition.");
val state = (ActionState) duoFlow.getState(stateId);
createTransitionForState(state, "restore", "viewDuoUniversalPrompt");
} else {
System.out.println("--- CAS 7.3: State " + stateId + " NOT found in MFA-DUO flow.");
}
}
}
}
}
import lombok.val;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.ActionState;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
@AutoConfiguration
@EnableConfigurationProperties(CasConfigurationProperties.class)
/* * Force this to run AFTER the Duo module so we don't get
* overwritten by the default Duo configuration.
*/
@AutoConfigureAfter(name = "org.apereo.cas.adaptors.duo.web.flow.config.DuoSecurityComponentSerializationConfiguration")
public class CasOverlayOverrideConfiguration {
static {
System.out.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
System.out.println("!!! JVM HAS LOADED CasOverlayOverrideConfiguration !!!");
System.out.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
}
@Bean
public CasWebflowConfigurer customDuoWebflowConfigurer(
ConfigurableApplicationContext applicationContext,
CasConfigurationProperties casProperties,
FlowDefinitionRegistry loginFlowDefinitionRegistry,
FlowBuilderServices flowBuilderServices) {
return new InnerDuoWebflowConfigurer(flowBuilderServices, loginFlowDefinitionRegistry,
applicationContext, casProperties);
}
@Bean
public CasWebflowExecutionPlanConfigurer customDuoWebflowExecutionPlanConfigurer(
CasWebflowConfigurer customDuoWebflowConfigurer) {
return plan -> plan.registerWebflowConfigurer(customDuoWebflowConfigurer);
}
@Order(Ordered.LOWEST_PRECEDENCE)
private static class InnerDuoWebflowConfigurer extends AbstractCasWebflowConfigurer {
public InnerDuoWebflowConfigurer(FlowBuilderServices flowBuilderServices,
FlowDefinitionRegistry loginFlowDefinitionRegistry,
ConfigurableApplicationContext applicationContext,
CasConfigurationProperties casProperties) {
super(flowBuilderServices, loginFlowDefinitionRegistry, applicationContext, casProperties);
}
@Override
protected void doInitialize() {
val stateId = "duoUniversalPromptPrepareValidate";
// 1. Check the Main Login Flow
val loginFlow = getLoginFlow();
if (loginFlow != null) {
if (containsFlowState(loginFlow, stateId)) {
System.out.println("!!! CAS 7.3: Found " + stateId + " in LOGIN flow. Injecting 'restore' transition.");
val state = (ActionState) loginFlow.getState(stateId);
createTransitionForState(state, "restore", "viewDuoUniversalPrompt");
} else {
System.out.println("--- CAS 7.3: State " + stateId + " NOT found in LOGIN flow.");
}
}
// 2. Check the MFA-DUO Flow (Usually where the state lives in 7.3)
val duoFlow = getFlow("mfa-duo");
if (duoFlow != null) {
if (containsFlowState(duoFlow, stateId)) {
System.out.println("!!! CAS 7.3: Found " + stateId + " in MFA-DUO flow. Injecting 'restore' transition.");
val state = (ActionState) duoFlow.getState(stateId);
createTransitionForState(state, "restore", "viewDuoUniversalPrompt");
} else {
System.out.println("--- CAS 7.3: State " + stateId + " NOT found in MFA-DUO flow.");
}
}
}
}
}
Ray Bon
Apr 30, 2026, 2:59:06 PM (13 days ago) Apr 30
to cas-...@apereo.org
Alex,
This is a spring web flow problem.
You set a state of 'restore' but it is not in the list of possible options (printed in error message).
What is it that you are trying to do, that you need a custom class?
Ray
P.S. You can add @Slf4j to your class and use LOGGER instead of System.out.println
When starting with a new class, I use LOGGER.error to make sure the log messages will print and are easy to find.
From: 'Alex Kauchak' via CAS Community <cas-...@apereo.org>
Sent: April 30, 2026 08:08
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Issue with redirecting after interrupt
Sent: April 30, 2026 08:08
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Issue with redirecting after interrupt
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/090f58d3-9ebe-463c-862d-789c8b1c1dban%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/090f58d3-9ebe-463c-862d-789c8b1c1dban%40apereo.org.
Alex Kauchak
Apr 30, 2026, 10:05:47 PM (13 days ago) Apr 30
to CAS Community, Ray Bon
I just need to handle interrupts being fired properly. It's still sending them, even with SSO established, because of not defining the keys I mentioned above. Now that I've done that, it seems there's an issue in the flow state going from the interrupt back to another part of the flow(success).
Ray Bon
Apr 30, 2026, 10:05:48 PM (13 days ago) Apr 30
to cas-user list
Alex,
If you have the crypto values set correctly, do you still need the custom configuration?
You can turn off crypto to see if that was the source of the problem (without the custom class) - default is true:
cas.interrupt.cookie.crypto.enabled=true
Is force execution set to true? - default is false:
cas.interrupt.core.force-execution=false
Does the behaviour happen with every service, or only some services that might not participate in SSO (this may be impacted by the trigger mode)?
Does this happen with users that are changing IP address?
pin-to-session is true by default:
cas.interrupt.cookie.pin-to-session=true
Ray
From: Ray Bon <rb...@uvic.ca>
Sent: April 30, 2026 13:13
To: Alex Kauchak <kauc...@miamioh.edu>
Subject: Re: [cas-user] Issue with redirecting after interrupt
Sent: April 30, 2026 13:13
To: Alex Kauchak <kauc...@miamioh.edu>
Subject: Re: [cas-user] Issue with redirecting after interrupt
Alex,
If you have the crypto values set correctly, do you still need the custom configuration?
You can turn off crypto to see if that was the source of the problem (without the custom class) - default is true:
cas.interrupt.cookie.crypto.enabled=true
Is force execution set to true? - default is false:
cas.interrupt.core.force-execution=false
Does the behaviour happen with every service, or only some services that might not participate in SSO (this may be impacted by the trigger mode)?
Does this happen with users that are changing IP address?
pin-to-session is true by default:
cas.interrupt.cookie.pin-to-session=true
Ray
From: Alex Kauchak <kauc...@miamioh.edu>
Sent: April 30, 2026 12:27
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] Issue with redirecting after interrupt
Sent: April 30, 2026 12:27
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] Issue with redirecting after interrupt
|
You don't often get email from kauc...@miamioh.edu.
Learn why this is important
|
Reply all
Reply to author
Forward
0 new messages