In our testing, Duo does seem to be required to trigger this behavior. If
we use a non Duo-enabled user, or a service registration that does not use
Duo, it works as expected. It also appears to be tied to subsequent
authentications, as use of /cas/login?renew=true will reliably trigger it
(this seems consistent with logging out with /cas/logout and then logging
in again with /cas/login)
I've tested by stripping most things out of our CAS build except what was
necessary to trigger it and access our users. We have not added any
customizations except as defined in our build.gradle and cas.properties.
Our build.gradle includes the following dependencies:
implementation "org.apereo.cas:cas-server-support-rest" // I believe
this is included in the default overlay template
implementation "org.apereo.cas:cas-server-webapp-init"
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-duo"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
cas.properties:
cas.server.name=https://${uh.cas.public-name}
cas.server.prefix=${cas.server.name}/cas
management.endpoints.enabled-by-default=true
management.endpoints.web.base-path=/actuator
management.endpoints.web.exposure.include=info,health,status,throttles,duoPing
cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1,
[...]
management.server.add-application-context-header=false
cas.service-registry.json.location=file://${uh.cas.base}/services
cas.service-registry.core.init-from-json=false
cas.tgc.crypto.enabled=true
cas.tgc.crypto.signing.key=SECRET
cas.tgc.crypto.encryption.key=SECRET
cas.webflow.crypto.signing.key=SECRET
cas.webflow.crypto.encryption.key=SECRET
cas.authn.accept.users=
cas.authn.ldap[0].ldap-url=ldaps://LDAP_HOST
cas.authn.ldap[0].bind-dn=cn=BIND_DN
cas.authn.ldap[0].bind-credential=SECRET
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].base-dn=LDAP_BASE
cas.authn.ldap[0].search-filter=uid={user}
cas.authn.ldap[0].principal-attribute-list=${uh.default.attributes}
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
cas.authn.mfa.duo[0].duo-integration-key=SECRET
cas.authn.mfa.duo[0].duo-secret-key=SECRET
cas.authn.mfa.duo[0].duo-api-host=SECRET
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].trusted-device-enabled=false
cas.authn.attribute-repository.core.default-attributes-to-release=${uh.default.attributes}
cas.logout.follow-service-redirects=true
cas.slo.disabled=true
logging.config: file://${uh.cas.base}/config/log4j2.xml
FWIW, I tried using Duo applications of both type "CAS" and "Web SDK", but
it doesn't seem to make a difference here.
On Thu, Sep 14, 2023 at 10:58 AM Baron Fujimoto <ba...@hawaii.edu> wrote:
> I'm working through some additional testing to see if I can narrow it down
> further. One thing we noticed was that it seemed to be tied to Duo. We were
> seeing this issue when logging in with a Duo-enabled user, but not with a
> user that did not have Duo enabled. I'll post more info once I've been able
> to wrap up this additional testing.
>
> On Wed, Sep 13, 2023 at 8:09 PM Pablo Vidaurri <psvidau...@gmail.com>
> wrote:
>
>> Hi Baron, I happen to have RC7 installed for evaluation.
>>
>> I do not see the behavior you are describing while testing your scenarios.
>>
>> Did you add any customization or is this out of the box?
>>
>> Maybe share your cas.properties to review.
>>
>> -psv
>>
>> On Monday, September 11, 2023 at 9:04:18 PM UTC-5 Baron Fujimoto wrote:
>>
>>> While testing CAS 7 (RC7), we encountered either a puzzling bug, or some
>>> configuration effect we don't understand.
>>>
>>> Normally, if we don't specify an application with for /cas/login, after
>>> authentication we expect to be directed to a "Log In Successful" page for
>>> an unknown target destination that displays the attributes and their values
>>> for the user. We've found however, that once we've successfully logged in
>>> for a target destination we actually have a service registration for (e.g.
>>> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom" [*], any
>>> subsequent attempts to use /cas/login without a target destination always
>>> redirects us to the first successful target destination we successfully log
>>> in to (e.g., example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> in this case). This even happens after /cas/logout, a new private/incognito
>>> browser window, or even a different browser, so it seems to be tied to the
>>> CAS server itself.
>>>
>>> [*] For example, with the following JSON service registration for
>>> example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> :
>>>
>>> {
>>> "@class" : "org.apereo.cas.services.CasRegisteredService",
>>> "name" : "Example_Default_MFA",
>>> "serviceId" : "^https://example
>>> <https://urldefense.com/v3/__https://example__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDrFpE4e8$>
>>> \\.com(/.*)*",
>>> "description" : "Default MFA Test example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> ",
>>> "id" : 20230720150127,
>>> "evaluationOrder" : 10000009,
>>> "multifactorPolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet",
>>> [ "mfa-duo" ] ],
>>> "failureMode" : "OPEN"
>>> }
>>> }
>>>
>>> If we restart CAS, and try just "/cas/login", we get the expected
>>> attributes results page. If we then try
>>> "/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom", we get the
>>> expected example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> page. But if we then try just "/cas/login" again, we are only directed back
>>> to example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> as previously described.
>>>
>>> Only restarting CAS seems to clear the condition. After restart, if we
>>> first try it with the example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> target, then without logging out try it without a target using just
>>> "/cas/login" we get the expected attributes page. However, if we then
>>> logout with "/cas/logout" and then once again use just the target-less
>>> "/cas/login", we get directed back to example.com
>>> <https://urldefense.com/v3/__http://example.com__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD3OTrn5Q$>
>>> rather than the attributes page.
>>>
>>> --
>>> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
>>> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD__nsDRM$>
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDfdyPV2c$>
>> - List Guidelines: https://goo.gl/1VRrw7
>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFD1DdSSVc$>
>> - Contributions: https://goo.gl/mh7qDG
>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDHgnbnLQ$>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b2276e-33fa-46cd-8ed2-5e1316fad768n%40apereo.org
>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b2276e-33fa-46cd-8ed2-5e1316fad768n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!TvppNxf3jPXaaMXPrDL0oRiA9tvnhiUmCYdM94alDxoct4wtJDDxINWVKqFkcD7jkDqZ1LaexhFDxJ1uSKI$>
>> .
>>
>
>
> --
> Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL09yyN5_wADksgFPs2HFen3sKts91kpQPXzsL0DmDwPOg%40mail.gmail.com.
