Are you using latest 5.3.3 relaease or 5.3.4-SNAPSHOT? If you put logs in debug do you see an entry like this?
2018-09-22 11:22:10,821 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RegisteredServiceMultifactorAuthenticationPolicyEventResolver]> On Sat, Sep 22, 2018 at 10:57 AM Dave B <[email protected]> wrote: > In testing, I have found that without > "cas.authn.mfa.globalProviderId=mfa-gauth" set in cas.properties, the only > way I can activate the MFA gauth flow is to set triggers, like: > cas.authn.mfa.globalPrincipalAttributeNameTriggers=something > cas.authn.mfa.globalPrincipalAttributeValueRegex=something > > So, unless I have something misconfigured, I assume that the presence of > multifactorPolicy with multifactorAuthenicationProviders specified in a > service registry entry is not sufficient to "trigger" the MFA flow. At > least in my case. > > > > On Friday, September 21, 2018 at 2:56:53 PM UTC-4, Dave B wrote: >> >> Running latest CAS 5.3 and just implemented MFA. My goal is to have MFA >> disabled globally but able to be turned on based only on inclusion service >> registry. >> >> However, I can not get MFA to work on any service unless >> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >> >> With the settings below, ALL services, regardless of inclusion of >> "multifactorPolicy", require MFA. My only option is to explicitly exclude >> (bypass) all other services for which I don't want to require MFA. >> >> Is this intended behavior? >> >> Relevant config: >> cas.properties: >> cas.authn.mfa.globalProviderId=mfa-gauth >> cas.authn.mfa.globalFailureMode=CLOSED >> >> >> "multifactorPolicy" : { >> "@class" : >> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ >> "mfa-gauth" ] ], >> "failureMode" : "CLOSED" >> }, >> >> Thanks for any help! >> -Dave >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYRqU5FkvoPuzrr3JedwgV%3Du14r8%3DOxm-Rge9kW4FSeiA%40mail.gmail.com.
