I'm working through some additional testing to see if I can narrow it down further. One thing we noticed was that it seemed to be tied to Duo. We were seeing this issue when logging in with a Duo-enabled user, but not with a user that did not have Duo enabled. I'll post more info once I've been able to wrap up this additional testing.
On Wed, Sep 13, 2023 at 8:09 PM Pablo Vidaurri <psvidau...@gmail.com> wrote: > Hi Baron, I happen to have RC7 installed for evaluation. > > I do not see the behavior you are describing while testing your scenarios. > > Did you add any customization or is this out of the box? > > Maybe share your cas.properties to review. > > -psv > > On Monday, September 11, 2023 at 9:04:18 PM UTC-5 Baron Fujimoto wrote: > >> While testing CAS 7 (RC7), we encountered either a puzzling bug, or some >> configuration effect we don't understand. >> >> Normally, if we don't specify an application with for /cas/login, after >> authentication we expect to be directed to a "Log In Successful" page for >> an unknown target destination that displays the attributes and their values >> for the user. We've found however, that once we've successfully logged in >> for a target destination we actually have a service registration for (e.g. >> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom" [*], any >> subsequent attempts to use /cas/login without a target destination always >> redirects us to the first successful target destination we successfully log >> in to (e.g., example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> in this case). This even happens after /cas/logout, a new private/incognito >> browser window, or even a different browser, so it seems to be tied to the >> CAS server itself. >> >> [*] For example, with the following JSON service registration for >> example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> : >> >> { >> "@class" : "org.apereo.cas.services.CasRegisteredService", >> "name" : "Example_Default_MFA", >> "serviceId" : "^https://example >> <https://urldefense.com/v3/__https://example__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDrFpE4e8$> >> \\.com(/.*)*", >> "description" : "Default MFA Test example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> ", >> "id" : 20230720150127, >> "evaluationOrder" : 10000009, >> "multifactorPolicy" : { >> "@class" : >> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ >> "mfa-duo" ] ], >> "failureMode" : "OPEN" >> } >> } >> >> If we restart CAS, and try just "/cas/login", we get the expected >> attributes results page. If we then try >> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom", we get the >> expected example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> page. But if we then try just "/cas/login" again, we are only directed back >> to example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> as previously described. >> >> Only restarting CAS seems to clear the condition. After restart, if we >> first try it with the example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> target, then without logging out try it without a target using just >> "/cas/login" we get the expected attributes page. However, if we then >> logout with "/cas/logout" and then once again use just the target-less >> "/cas/login", we get directed back to example.com >> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$> >> rather than the attributes page. >> >> -- >> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >> > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD__nsDRM$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDfdyPV2c$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD1DdSSVc$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDHgnbnLQ$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b2276e-33fa-46cd-8ed2-5e1316fad768n%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b2276e-33fa-46cd-8ed2-5e1316fad768n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDxJ1uSKI$> > . > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1ZeJg9%2B-hs5%2BzGvWy%3DY%2Beqk737Hz6MCTkay25b2diYZQ%40mail.gmail.com.
