I'm having a heck of a time setting up trustedDevice authentication
(outlined here:
https://apereo.github.io/cas/5.1.x/installation/Multifactor-TrustedDevice-Authentication.html)
under a fresh 5.1.2 install and I'm not sure if I'm misunderstanding the
feature altogether or simply configuring it incorrectly.
I set up the appropriate entry in the maven overlay to bring it in
(cas-server-support-trusted-mfa as artifactID), set up the
cas.properties entries and its definitely being loaded. After an mfa
authentication (I'm using mfa-gauth), I get prompted to register the
device, but the minute I do so I get an error&stacktrace - I see the
audit log register the name I gave it and other assorted info, but
immediately afterwards it throws an exception:
"org.springframework.webflow.execution.FlowExecutionException: Exception
thrown in state 'registerTrustedDevice' of flow 'login'"
Following that down the underlying cause seems to be the following:
2017-07-21 10:32:58,064 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
- <Servlet.service() for servlet [dispatcherServlet] in context with
path [/cas] threw exception [Request processing failed; nested exception
is org.springframework.webflow.execution.FlowExecutionException:
Exception thrown in state 'registerTrustedDevice' of flow 'login'] with
root cause>
java.lang.IllegalArgumentException: Cannot find state with id 'success'
in flow 'login' -- Known state ids are
'array<String>['initialAuthenticationRequestValidationCheck',
'ticketGrantingTicketCheck', 'initializeLoginForm', 'viewLoginForm',
'realSubmit', 'showAuthenticationWarningMessages',
'sendTicketGrantingTicket', 'generateServiceTicket',
'viewRedirectToUnauthorizedUrlView', 'viewServiceErrorView',
'redirectView', 'postView', 'viewGenericLoginSuccess',
'showWarningView', 'finalizeWarning', 'serviceUnauthorizedCheck',
'serviceCheck', 'warn', 'gatewayRequestCheck', 'hasServiceCheck',
'renewRequestCheck', 'terminateSession',
'gatewayServicesManagementCheck', 'serviceAuthorizationCheck',
'redirect', 'handleAuthenticationFailure', 'verifyTrustedDevice',
'checkRegistrationRequired', 'registerDeviceView',
'registerTrustedDevice', 'finishMfaTrustedAuth', 'mfa-gauth',
'casAuthenticationBlockedView', 'casBadWorkstationView',
'casBadHoursView', 'casAccountLockedView', 'casAccountDisabledView',
'casPasswordUpdateSuccessView', 'casExpiredPassView',
'casMustChangePassView']'
I'm using Java 1.8 on Centos7 and have tried deploying to Tomcat 8.5.16
as a war and using the embedded tomcat and getting the same behavior in
both instances. Haven't tried other containers or tweaking much else at
this point.
Any ideas?
Matt
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2498f6b-4ed9-6308-0267-84e1babe0c72%40fastmail.net.
