I am working on a project that uses Apereo CAS 5.x.x to handle user authentication and users can activate MFA. When logging in, the user can use their Active Directory credentials or log in via Google OAuth (which it is supported as shown in the documentation <https://apereo.github.io/cas/6.6.x/mfa/GoogleAuthenticator-Authentication.html>). Unfortunately, we have found that when the user logs in via Google OAuth, the MFA flow is broken.
If the user logs in with the AD credentials and tries to activate MFA, the operation works as expected. The user gets the page to activate MFA and after that the user is sent to the page to copy the codes, finish binding the authenticator application and is shown the success message at the end. But if the user logs in with their Google account, the user is able to go to the initial page of the MFA activation process and when the Activate button is clicked, the user is stuck in that view. Researching how Apereo CAS works in their documentation <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol.html#web-flow-diagram>, I have discovered that the process gets stuck here as in the browser the URL looks like that: [image: enter image description here] <https://i.stack.imgur.com/ZaUVY.png> Also, in the application logs I have observed that when the AD credentials are used CAS says: *Bypass rules determined MFA should execute for user [XXXXX] for provider [mfa-gauth]* But if the Google credentials are used CAS says: *Bypass rules determined MFA should NOT execute for user [XXXXX] for provider [mfa-gauth]* And because of that, CAS issues a new session ticket: *Finalizing authentication transactions and issuing ticket-granting ticket Finalizing authentication event... Creating ticket-granting ticket, potentially based on [********************************************************] Located ticket-granting ticket in the context. Retrieving associated authentication Resulting authentication is different from the context Attempting to issue a new ticket-granting ticket... * I guess the crux of the matter is in this sentence: *Resulting authentication is different from the context* Because the application does the redirection as how it should be done with something like: https://server/cas/login?renew=true&service=http%3A%2F%2Fwww.service.com/mfa&authn_method=mfa-gauth As it is explained here in the documentation <https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-V2-Specification.html#212-url-examples-of-login> with the third example. What is being done wrong? I am quite lost and have not been able to make any progress. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2d7c43e-9f93-4eed-91b3-827f1d9bb1bfn%40apereo.org.
