Mr. Bond, Thanks for your response. According to the docs[1] there are two ways too use the Global Principal Attribute[1]
> Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this > behavior is only applicable if there is only a single MFA provider configured, since that would allow > CAS to know what provider to next activate. I believe this is the method you have described which has the end result [in your case] that any user in the group 'CN=mfa-eligible,OU=DuoMFA,OU=Groups,DC=nsuok,DC=edu' will need to use the MFA method specific by `cas.authn.mfa.globalProviderId` I would like to support, multiple MFA options and have the user indicate the MFA they want to use via LDAP. For this i thought i could configure CAS using the second option > Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. > This option is more relevant if you have more than one provider configured or if you have the flexibility > of assigning provider ids to attributes as values. [1] https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication-Triggers.html#global-principal-attribute On Wed, Aug 14, 2019 at 9:23 PM 'Robert Bond' via CAS Community < [email protected]> wrote: > > Here is what I think you need > # Activate MFA globally based on principal attributes > cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory > # Specify the regular expression pattern to trigger multifactor when > working with a single provider. > cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa-gauth > > Let me know if that works for you. > I tried this and it made no difference, which surprised me as i had assumed it would complain about a missing cas.authn.mfa.globalProviderId. however i wonder if simply having more then one provider disables this function. The comment hints at this -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA7%2BHnCOwL%3DjAL_ezn5wbCK4Fm33J7dzCDkYRx-AX23oPLmqnA%40mail.gmail.com.
