Tom,
Could it be that the groovy script is returning null or a value that cas does
not understand?
Ray
On Tue, 2024-05-07 at 06:49 -0700, tjan...@gmail.com wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello!
I'm trying to trigger MFA even if the user is authenticated and the TGT
participates in the existing SSO session, but somehow the behavior is
inconsistent. I'm using OAuth authorization code flow and already somehow
managed to execute a flow where after a call to /authorize, the user was NOT
requested to authenticate (due to active SSO), but still the MFA policy was
triggered as expected.
Now I'm unable to reproduce that. Instead whenever I send a request to
/authorize, I get redirected to the service redirect URL with an OAuth code in
the query parameters. Instead I would like the MFA provider to get triggered on
each call to /authorize for this specific service.
In the service configuration I have defined:
"multifactorPolicy":{
"@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"script":"classpath:groovy/forceMfaPolicy.groovy",
"bypassEnabled":"false",
"forceExecution":"true"
}
What might be the correct way to enforce MFA even if an SSO session is active
and being participated in?
Thank you!
Tom
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/981f2f1d17a6f914050cc8e1882464dc52c81275.camel%40uvic.ca.
