MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger

Skip to first unread message


Mar 2, 2022, 10:19:51 AMMar 2
to CAS Community
I have added the "Principal Attribute Per Application" MFA setting, CAS 6.4.6 , and MFA never triggers, if I remove the  principalAttributeNameTrigger and  principalAttributeValueToMatch it works just fine. I can see in the console and logs, the attribute values are retrieved from ldap and doesnt trigger still. See below, the attribute  eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set to get it working?

console log:

multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth, mfa-webauthn], failureMode=UNDEFINED, principalAttributeNameTrigger=eduPersonAffiliation, principalAttributeValueToMatch=staff, bypassEnabled=false, forceExecution=true, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null)

audit log:

"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed name\"],\"eduPersonAffiliation\":[\"staff\"],


    "@class": "",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth", "mfa-webauthn"] ],
    "principalAttributeNameTrigger" : "eduPersonAffiliation",
    "principalAttributeValueToMatch" : "staff",


Mar 2, 2022, 12:17:24 PMMar 2
to CAS Community, John
With debug on I can see it being skipped?? Of course I have attributes defined and WANT it to trigger, and the attributes/values match and still says its skipping

DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Locating attribute value for attribute(s): [[eduPersonAffiliation]].>
DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[staff]] for [[eduPersonAffiliation]]>
DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [staff] is a single-valued attribute>
DEBUG [org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger] - <Authentication policy for [^(http|https)://*] has defined principal attribute triggers. Skipping...>


Mar 3, 2022, 7:49:02 PMMar 3
to CAS Community, John
This works fine when only one provider is defined but when you have multiple like  [ "mfa-gauth", "mfa-webauthn"] it doesn't trigger, changing to either  [ "mfa-gauth"] or  [ "mfa-webauthn"] triggers it. Are MFA triggers only allowed to return one provider? It works with multiple providers when no trigger is set so is this a bug?
Reply all
Reply to author
0 new messages