how to implement: move to next MFA provider?
46 views
Skip to first unread message
Yan Zhou
Jan 14, 2026, 3:51:17 PMJan 14
to CAS Community
Hello,
CAS 7.3.1 overlay. At user level, there are principal attribute indicate the MFA options user prefers, for instance, ["mfa-simple", "mfa-gauth"], this user can do both simpl-mfa and Google Authenticator.
During MFA login, I wish to implement this: if one MFA provider fails, move to the next MFA Provider that the user supports. For instance, "simple-mfa" fails because user is Unable to get OTP via SMS or Email, he can click "Next MFA provider" and move to "mfa-gauth".
Looking at CasSimpleMultifactorWebflowConfigurer, I do No t know how to tell CAS webflow that mfa-simple has failed and move to the next MFA Provider.
I am using Groovy to determine which MFA provider to activate for the user:
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location=classpath:mfaProviderPredicate.groovy
thx,
Ray Bon
Jan 14, 2026, 5:34:28 PMJan 14
to cas-...@apereo.org
Could you display a list on a page and have the user select one?
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Yan Zhou <yana...@gmail.com>
Sent: January 14, 2026 12:30
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] how to implement: move to next MFA provider?
Sent: January 14, 2026 12:30
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] how to implement: move to next MFA provider?
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org.
Yan Zhou
Jan 15, 2026, 12:01:32 PMJan 15
to CAS Community, Ray Bon
I figured it out, if MFA Provider Ranks are specified, OR if there is Groovy script that serves as MFA Provider Trigger, MFA-provider-selection is No longer available. That is OK, what I did is 1) Not to specify MFA provider ranking 2) Not using Groovy for triggers, instead, on each MFA provider, use Groovy bypass script, MFA is skipped if user does Not support the given provider. This is now working correctly for the initial login, i.e., user is presented with the MFA providers that he has configured earlier.
I assume my understanding is correct? that is, Triggers and Provider Selection cannot co-exist, only one can be specified?
Frédéric Dussurget
Jan 19, 2026, 11:32:37 AMJan 19
to CAS Community, Yan Zhou, Ray Bon
Hi Yan
I did quite the same thing. I'm just curious : How are your users registering their mfa methods and devices ?
In my case, a user is autonomous and is able to register mfa devices (gauth and webauthn) on his own thru the account manager.
Then I'm using bypass groovy scripts to check if he has registered at least one device for each mfa provider. He's got the mfa selection menu if he has Registered at least one provider. To do so I used thoses endpoints for both groovy bypass scripts :
/cas/actuator/gauthCredentialRepository/${userId}
/cas/actuator/webAuthnDevices/${userId}
(notice that those endpoints are protected by acls in cas.monitor.endpoints.endpoint.gauthCredentialRepository/webAuthnDevices/multifactorTrustedDevices.access allowing requests only from localhost for security purposes)
This way the user choose when to activate his own providers and he does not have to access an external portal to activate mfa, or, that admins force this behavior for a user thru the attributeRepository.
Cons : When a user has registered only one mfa provider, the mfa provider selector selection menu is still popping out. If anybody knows a trick … ;-)
Regards,
I did quite the same thing. I'm just curious : How are your users registering their mfa methods and devices ?
In my case, a user is autonomous and is able to register mfa devices (gauth and webauthn) on his own thru the account manager.
Then I'm using bypass groovy scripts to check if he has registered at least one device for each mfa provider. He's got the mfa selection menu if he has Registered at least one provider. To do so I used thoses endpoints for both groovy bypass scripts :
/cas/actuator/gauthCredentialRepository/${userId}
/cas/actuator/webAuthnDevices/${userId}
(notice that those endpoints are protected by acls in cas.monitor.endpoints.endpoint.gauthCredentialRepository/webAuthnDevices/multifactorTrustedDevices.access allowing requests only from localhost for security purposes)
This way the user choose when to activate his own providers and he does not have to access an external portal to activate mfa, or, that admins force this behavior for a user thru the attributeRepository.
Cons : When a user has registered only one mfa provider, the mfa provider selector selection menu is still popping out. If anybody knows a trick … ;-)
Regards,
Reply all
Reply to author
Forward
0 new messages