We are evaluating using MFA on campus, and I've setup CAS to authenticate
with duo. I'm able to login via CAS, and then successfully navigate the
duo page and get logged into my service.
Now I'd like to test what happens if we can't communicate with duo.
In my service definition, failureMode is set to OPEN.
I added a simple route reject on my linux box to block communication with
the duo api server, and tried to login again, and now I'm getting request
denied message from my service. Logging the saml response does indeed show
that:
<saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"
InResponseTo="" IssueInstant="2018--04=20T15:25:33.987Z" MajorVersion="1"
MinorVersion="1" ResponseID="_34633957fc8be038523a0d74b4bd5a21">
<saml1p:Status>
<saml1p:StatusCode Value="saml1p:RequestDenied"/>
<saml1p:StatusMessage>The validation request for
['ST-AAEFFIa9ztEEPxYo5BVSyfZGsWN09PkWxHDHKNItv+S35C1Lfa8VbiWC'] cannot be
satisfied. The request is either unrecognized or
unfulfilled.</saml1p:StatusMessage>
</saml1p:Status>
</saml1p:Response>
Reading the documentation, I thought failureMode OPEN would allow
authentication to proceed with a success message to the service provider
based upon the successful login to LDAP. I also tried PHANTOM with the
same result.
If I remove the multifactorPolicy from my service, I'm able to login
without MFA without issue.
Running CAS 5.2.2.
Rob
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/94a7497d-029b-4727-9d07-dc55f9e043ce%40apereo.org.
