global-principal-attribute-predicate not evaluated by cas

27 views
Skip to first unread message

Frédéric Dussurget

unread,
Feb 13, 2026, 10:25:20 AM (13 days ago) Feb 13
to CAS Community
Context Cas 7.3.4/Redis 8 for tickets,services and mfa devices

Hi,
I would like to try the trigger defined here : https://apereo.github.io/cas/7.3.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global-PrincipalAttribute-Predicate.html.
I've set this :
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location: file:/etc/cas/config/mfa_predicate.groovy

But … this script is not evaluated when starting the webapp or in the authentication flow ...
Nothing in the logs.
All other groovies are being evaluated in my context such as cas.authn.mfa.groovy-script.location, cas.authn.mfa.gauth.bypass.groovy.location, etc. without any problem.
Did I miss Something ?

Some of the deps I used to compile :

    //MFA TOTP
   implementation "org.apereo.cas:cas-server-support-gauth"
   implementation "org.apereo.cas:cas-server-support-gauth-core"
   implementation "org.apereo.cas:cas-server-support-gauth-core-mfa"
   implementation "org.apereo.cas:cas-server-support-gauth-redis"

    // MFA FIDO2 WEBAUTHN
    implementation "org.apereo.cas:cas-server-support-webauthn"
    implementation "org.apereo.cas:cas-server-support-webauthn-redis"

    //MFA TRUSTED DEVICE
    implementation "org.apereo.cas:cas-server-support-trusted-mfa"
    implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"

    implementation "org.apereo.cas:cas-server-support-redis-authentication"
    implementation "org.apereo.cas:cas-server-support-redis-core"

// GROOVY SCRIPTING
    implementation "org.apereo.cas:cas-server-core-scripting"


For info, the content of the groovy script /etc/cas/config/mfa_predicate.groovy is below, but anyway, it does not seem to be read

import org.apereo.cas.authentication.*
import java.util.function.*
import org.apereo.cas.services.*

class PredicateExample implements Predicate<MultifactorAuthenticationProvider> {

    def service
    def principal
    def providers
    def logger

    public PredicateExample(service, principal, providers, logger) {
        this.service = service
        this.principal = principal
        this.providers = providers
        this.logger = logger
    }

    @Override
    boolean test(final MultifactorAuthenticationProvider p) {
        logger.info("Testing provider {}", p.getId())
        if (p.matches("mfa-gauth")) {
           logger.info("Provider {} is available. Checking eligibility...", p.getId())
           if (p.isAvailable(this.service)) {
               logger.info("Provider {} matched. Good to go!", p.getId())
               return true;
           }
           logger.info("Skipping provider {}. Match failed.", p.getId())
           return false;
        }
        logger.info("Provider {} cannot be reached", p.getId())
        return false
    }
}

Reply all
Reply to author
Forward
0 new messages