I have added the "Principal Attribute Per Application" MFA setting, CAS 6.4.6 , and MFA never triggers, if I remove the principalAttributeNameTrigger and principalAttributeValueToMatch it works just fine. I can see in the console and logs, the attribute values are retrieved from ldap and doesnt trigger still. See below, the attribute eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set to get it working?
console log: multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth, mfa-webauthn], failureMode=UNDEFINED, principalAttributeNameTrigger=eduPersonAffiliation, principalAttributeValueToMatch=staff, bypassEnabled=false, forceExecution=true, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null) audit log: "attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed name\"],\"eduPersonAffiliation\":[\"staff\"], service: "multifactorPolicy": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth", "mfa-webauthn"] ], "principalAttributeNameTrigger" : "eduPersonAffiliation", "principalAttributeValueToMatch" : "staff", }, -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/617c920e-64d3-4f83-965d-a2167e7f8dfen%40apereo.org.