We are evaluating using MFA on campus, and I've setup CAS to authenticate with duo. I'm able to login via CAS, and then successfully navigate the duo page and get logged into my service.
Now I'd like to test what happens if we can't communicate with duo. In my service definition, failureMode is set to OPEN. I added a simple route reject on my linux box to block communication with the duo api server, and tried to login again, and now I'm getting request denied message from my service. Logging the saml response does indeed show that: <saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="" IssueInstant="2018--04=20T15:25:33.987Z" MajorVersion="1" MinorVersion="1" ResponseID="_34633957fc8be038523a0d74b4bd5a21"> <saml1p:Status> <saml1p:StatusCode Value="saml1p:RequestDenied"/> <saml1p:StatusMessage>The validation request for ['ST-AAEFFIa9ztEEPxYo5BVSyfZGsWN09PkWxHDHKNItv+S35C1Lfa8VbiWC'] cannot be satisfied. The request is either unrecognized or unfulfilled.</saml1p:StatusMessage> </saml1p:Status> </saml1p:Response> Reading the documentation, I thought failureMode OPEN would allow authentication to proceed with a success message to the service provider based upon the successful login to LDAP. I also tried PHANTOM with the same result. If I remove the multifactorPolicy from my service, I'm able to login without MFA without issue. Running CAS 5.2.2. Rob -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94a7497d-029b-4727-9d07-dc55f9e043ce%40apereo.org.