That’s how global works. Remove the setting and it will no longer “globall”y activate MFA.
--Misagh From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Dusty Edenfield Sent: Thursday, February 16, 2017 6:27 PM To: CAS Community <cas-user@apereo.org> Subject: [cas-user] Having trouble configuring mfa.globalPrincipalAttributeNameTriggers · [CAS server version 5.0.2 · Container/environment type/version (Tomcat, Jetty, Java, Linux/Windows, etc) Apache Tomcat/8.5.6 · Steps to duplicate the problem We're using these properties in cas.properties cas.authn.mfa.globalProviderId=mfa-duo cas.authn.mfa.globalPrincipalAttributeNameTriggers=AccountEntitlement cas.authn.mfa.globalPrincipalAttributeValueRegex=/some/entitlement/value The behavior we're seeing is when these properties are set, mfa-duo is indeed active for all cas logins, but the globalPrincipalAttribute* properties are ignored, or I'm misunderstanding how these properties are supposed to work. We would expect that these attribute properties are checked for when to enable mfa-duo for a given user, but that doesn't seem to be the case. To reproduce, we put in a bogus globalPrincipalAttributeValueRegex and mfa-duo was still active for all logins after a CAS restart -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e7dbb48-c21b-4aeb-b7a4-cebe27d9788f%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e7dbb48-c21b-4aeb-b7a4-cebe27d9788f%40apereo.org?utm_medium=email&utm_source=footer> . -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/006701d288ef%24e22c6fd0%24a6854f70%24%40unicon.net.