how to implement: move to next MFA provider?
22 views
Skip to first unread message
Yan Zhou
Jan 14, 2026, 3:51:17 PM (4 days ago) Jan 14
to CAS Community
Hello,
CAS 7.3.1 overlay. At user level, there are principal attribute indicate the MFA options user prefers, for instance, ["mfa-simple", "mfa-gauth"], this user can do both simpl-mfa and Google Authenticator.
During MFA login, I wish to implement this: if one MFA provider fails, move to the next MFA Provider that the user supports. For instance, "simple-mfa" fails because user is Unable to get OTP via SMS or Email, he can click "Next MFA provider" and move to "mfa-gauth".
Looking at CasSimpleMultifactorWebflowConfigurer, I do No t know how to tell CAS webflow that mfa-simple has failed and move to the next MFA Provider.
I am using Groovy to determine which MFA provider to activate for the user:
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location=classpath:mfaProviderPredicate.groovy
thx,
Ray Bon
Jan 14, 2026, 5:34:28 PM (3 days ago) Jan 14
to cas-...@apereo.org
Could you display a list on a page and have the user select one?
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Yan Zhou <yana...@gmail.com>
Sent: January 14, 2026 12:30
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] how to implement: move to next MFA provider?
Sent: January 14, 2026 12:30
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] how to implement: move to next MFA provider?
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org.
Yan Zhou
Jan 15, 2026, 12:01:32 PM (3 days ago) Jan 15
to CAS Community, Ray Bon
I figured it out, if MFA Provider Ranks are specified, OR if there is Groovy script that serves as MFA Provider Trigger, MFA-provider-selection is No longer available. That is OK, what I did is 1) Not to specify MFA provider ranking 2) Not using Groovy for triggers, instead, on each MFA provider, use Groovy bypass script, MFA is skipped if user does Not support the given provider. This is now working correctly for the initial login, i.e., user is presented with the MFA providers that he has configured earlier.
I assume my understanding is correct? that is, Triggers and Provider Selection cannot co-exist, only one can be specified?
Reply all
Reply to author
Forward
0 new messages