Not sure if this is a weird local config or some sort of bug.
I have these set globally in cas.properties.
cas.authn.mfa.duo[0].bypass.principal-attribute-name=mfaDisable
cas.authn.mfa.duo[0].bypass.principal-attribute-value=nomfa
When SAML IdP support is included in the WAR overlay with:
implementation "org.apereo.cas:cas-server-support-saml-idp",
I get a NullPointerException after the Duo Push when the mfaDisable attribute is null.
and I include it in the list of released attributes in the service definition like this:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn", "uid", "displayName", "memberOf", "mfaDisable", "sAMAccountName", "departmentNumber" ] ]
}
If I remove it from this list, there is no exception. The departmentNumber attribute is also null and does not trigger the exception.
If the mfaDisable attribute has a value, the exception is not triggered.
Also, if I remove SAML IdP support from the WAR overlay, it does not trigger an exception.
My workaround for now is to remove the mfaDisable attribute while keeping SAML support.
Any ideas?