MFA not triggered when service is configured to force MFA

66 views

Skip to first unread message

Thorsten Ott

unread,

Jun 21, 2022, 3:55:13 AM6/21/22

to CAS Community

Hi,

we setup CAS to authenticate a lot of applications. To increase security we start to activate MFA authentication for some registered services / applications.

So we activated MFA for some CAS services and CAS server will request a second factor to do a MFA on the first login. It will also ask for a second factor in case the user authenticates first for a non-MFA application and opens then a MFA application (at least for applications using CAS protocol).

This behavior will not work for SAML applications configured to require

MFA: when user is not authenticated and opens the SAML application it will be prompted to login by credentials and provide a second factor do the MFA login. That's correct behavior. But when the user authenticated earlier to an application without MFA and opens then the SAML application require MFA, CAS service is not requesting MFA.

The MFA handling for SAML services seems to be only triggered on the first/initial authentication. In case the user is already authenticated earlier, MFA is not triggered at all - even if the initial authentication was done without MFA!

This all seems to be a bug in handling MFA with SAML services. But we also did not see any other issues describing this problem. So we're unsure.

Maybe someone can tell us a) if this problem can be reproduced, b) if this problem is a bug, c) if this problem is fixed in other release (we also tried to upgrade, but this did not fixed the problem).

Thanks for any feedback on this topic. Since it's a security related problem we hope to get a fast reply and potentially a fast fix in the next release.