You could always do a custom Groovy script trigger which will be executed and its outcome examined by CAS for each authentication transaction to decide whether to trigger any mfa transaction or not: https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Triggers.html#groovy
Cheers, D. From: Dave B <[email protected]> Reply: [email protected] <[email protected]> Date: September 21, 2018 at 4:16:46 PM To: CAS Community <[email protected]> Subject: Re: [cas-user] How to enable MFA by service rather than globally Dan, Thanks - yes, bypassing each of the non-MFA-eligible services is my fallback plan if I can't figure this one out. Was hoping not to have to do that though! -Dave On Friday, September 21, 2018 at 4:10:50 PM UTC-4, de3 wrote: Hi Dave, Check out "Bypass Per Service" at: https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Bypass.html#bypass-per-service Dan On Fri, Sep 21, 2018 at 2:57 PM Dave B <[email protected]> wrote: Running latest CAS 5.3 and just implemented MFA. My goal is to have MFA disabled globally but able to be turned on based only on inclusion service registry. However, I can not get MFA to work on any service unless cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. With the settings below, ALL services, regardless of inclusion of "multifactorPolicy", require MFA. My only option is to explicitly exclude (bypass) all other services for which I don't want to require MFA. Is this intended behavior? Relevant config: cas.properties: cas.authn.mfa.globalProviderId=mfa-gauth cas.authn.mfa.globalFailureMode=CLOSED "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ], "failureMode" : "CLOSED" }, Thanks for any help! -Dave -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef5cec95-795c-4288-b8e2-183550ecda62%40apereo.org. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1cdccda-4908-4849-991f-8fa85a8f8713%40apereo.org. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5ba5572b.55fb4ce7.2fd%40unicon.net.
