MFA with Multiple Providers, Bugs in CAS?

[John]

I tried all different ways to get MFA triggers to work with CAS and let the user decide which one to use, scenarios I tested,

Triggers:

Groovy Per Application- only works for single provider

Principal Attribute - used multi-valued attribute in ldap, set to mfa-gauth and mfa-webathn, but CAS will pick one and not let user decide

REST - Only works if it returns a single provider

Principal Attribute Per Application -  Only works if it returns a single provider

Since those trigger weren't working to let user decide the provider, I decided to activate globally

cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-web-authn

and then used bypass rules such as groovy for each provider using 

cas.authn.mfa.gauth.bypass.groovy.location

cas.authn.mfa.web-authn.bypass.groovy.location

boolean run(final Object... args) {
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]

    if (service.name == "myservicename") {
        logger.info("Evaluating principal attributes ${principal.attributes}")

        def bypass = principal.attributes['eduPersonAffiliation']
        if (bypass.contains("staff")) {
            logger.info("Bypass for principal ${principal.id} is not allowed")
            return true
        }
    }
    return false
}

this works to allow selection if the script returns true but if it return false CAS just sits at the MFA selection screen blank because no providers should be used. I would assume this is a bug or mis-config because if no providers are found it should continue to login to application.

I don't really know what else to try or how to get multiple MFA providers to work based on attribute and value

Any help with this would be appreciated