CAS 7.2 – Per Application MFA Trigger does not execute GAuth registration flow (QR), while Global MFA works correctly

84 views
Skip to first unread message

Christian

unread,
Feb 16, 2026, 8:55:22 AM (10 days ago) Feb 16
to CAS Community

Hello,

I am implementing Per Application – Multifactor Authentication Triggers in CAS 7.1.5 using Google Authenticator (mfa-gauth) with MongoDB token storage.

The module used is:

implementation "org.apereo.cas:cas-server-support-gauth-mongo"

Google Authenticator configuration in cas.properties (issuer, label, crypto keys, mongo, etc.) is correctly set up. The flow works properly when using Global Multifactor Authentication Trigger.

Per Application configuration

The registered service contains:

"multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "mfa-gauth" ], "bypassEnabled" : false, "forceExecution" : true }
Problem

When using Per Application MFA Trigger:

  • If the user already has a registered TOTP token → MFA works correctly.

  • If the user does NOT have a registered device → CAS grants login directly.

  • The Google Authenticator registration flow (QR page) is NOT triggered.

  • Logs only show SERVICE_TICKET_CREATED.

However, when configuring Global Multifactor Authentication Trigger, the behavior is correct:

  • If the user has no registered device → CAS redirects automatically to the QR registration flow.

  • MFA is properly enforced.

Expected behavior

I would expect Per Application MFA to behave the same way:

  • Trigger device registration flow when no device exists.

  • Prevent service ticket issuance until MFA registration is completed.

Question

Is this the expected behavior of Per Application MFA in CAS 7.1.5?
Is there any additional property or configuration required to force device registration when MFA is defined at the service level?

Here are my cas.properties settings:

cas.authn.mfa.gauth.core.issuer=CAS
cas.authn.mfa.gauth.core.label=Junta de Andalucía
cas.authn.mfa.gauth.crypto.encryption.key=6t1qRsYDqCtFIgrpOzfQLMOMOpxgRICaOX0VV3fBT1aoK4BLuLrPU8fIsmFv0UhcwrWhHSWnCu5tbhJX3YzRbg
cas.authn.mfa.gauth.crypto.signing.key=hBjeTTDTkKVr4uHB9og_M0GPQ01TcmywTRTE4fFWr0fdt87S3y6VyI76PG4ZqIQaVA1BKn3CFwq1cyGtuKYm2Q

cas.authn.mfa.gauth.mongo.client-uri= #MY MONGODB#
cas.authn.mfa.gauth.mongo.token-collection=gauth_tokens

Thank you.

Frédéric Dussurget

unread,
Feb 17, 2026, 9:27:58 AM (9 days ago) Feb 17
to CAS Community, Christian
Hi Christian,
just in case, 7.3 (and I think 7.2 too, as you mentioned in your title) perApplication MFA trigger has the behavior you're looking for.
In cas you're using the native cas account manager (aka the palantir thing) CasFeatureModule.AccountManagement.enabled: true : you can not handle the /cas/login url within a service, it won't be matched by any service, so mfa- won't be triggered by a service and users will access directly to their mfa devices manager wich might be a problem.
regards,

Christian

unread,
Feb 18, 2026, 8:59:11 AM (8 days ago) Feb 18
to CAS Community, Frédéric Dussurget, Christian

Hi Frédéric,

Thank you for your previous response.

I am currently running CAS 7.2.7, which (as mentioned) should already include the corrected behavior for Per-Application MFA triggers.

I have configured my registered service in MongoDB with the following multifactorPolicy:

multifactorPolicy : {
"_class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [
"java.util.LinkedHashSet",
[


"mfa-gauth"
]
],
"bypassEnabled" : false,
"forceExecution" : true
}

The Google Authenticator configuration in cas.properties remains the same (issuer, label, crypto keys, Mongo token storage, etc.).

However, the behavior is still the following:

  • When I access:
    http://localhost:8080/cas/login?service=MyService

  • I enter username and password

  • CAS immediately grants a service ticket

  • The Google Authenticator MFA screen is NOT shown

  • If the user does not have a registered device, the registration (QR) flow is not triggered

If I enable Global MFA Trigger instead, everything works correctly:

  • Users without a registered device are redirected to the registration flow

  • MFA is properly enforced before issuing the service ticket

So even on 7.2.7, Per-Application MFA does not appear to enforce device registration.

My questions are:

  1. Is there any additional configuration required in 7.2.7 to force device registration when MFA is defined at the service level?

  2. Does Per-Application MFA require a specific trigger configuration beyond the multifactorPolicy block?

  3. Could this be related to Account Management being enabled?

Thank you for your help.

Best regards,
Christian

Frédéric Dussurget

unread,
Feb 19, 2026, 7:27:42 AM (7 days ago) Feb 19
to CAS Community, Christian, Frédéric Dussurget
Hi Christian,
I have quite the same configuration as yours in service/cas.properties (except mongo).
Is this the right service matched ? Do you have those lines in DEBUG mode :
DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://urlmyservice...]>#033[m
[2026-02-19 09:48:33] [info] #033[36m2026-02-19 09:48:33,901 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [^h https://urlmyservice... .*] with id [your_exact_service_id_here] in context scope>#033[m
Could another service be matching your request before this one ? (even a disabled service would do that ...)

(and just in case, you have a typo in your service definition :  "_class" vs "@class")
Regards
Reply all
Reply to author
Forward
0 new messages