I tried all different ways to get MFA triggers to work with CAS and let the user decide which one to use, scenarios I tested,
Triggers: Groovy Per Application- only works for single provider Principal Attribute - used multi-valued attribute in ldap, set to mfa-gauth and mfa-webathn, but CAS will pick one and not let user decide REST - Only works if it returns a single provider Principal Attribute Per Application - Only works if it returns a single provider Since those trigger weren't working to let user decide the provider, I decided to activate globally cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-web-authn and then used bypass rules such as groovy for each provider using cas.authn.mfa.gauth.bypass.groovy.location cas.authn.mfa.web-authn.bypass.groovy.location boolean run(final Object... args) { def authentication = args[0] def principal = args[1] def service = args[2] def provider = args[3] def logger = args[4] def httpRequest = args[5] if (service.name == "myservicename") { logger.info("Evaluating principal attributes ${principal.attributes}") def bypass = principal.attributes['eduPersonAffiliation'] if (bypass.contains("staff")) { logger.info("Bypass for principal ${principal.id} is not allowed") return true } } return false } this works to allow selection if the script returns true but if it return false CAS just sits at the MFA selection screen blank because no providers should be used. I would assume this is a bug or mis-config because if no providers are found it should continue to login to application. I don't really know what else to try or how to get multiple MFA providers to work based on attribute and value Any help with this would be appreciated -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0749e4ee-8a91-4082-9b04-fc14c48d7f33n%40apereo.org.