You can use multiple providers using selection now in current release with principal attribute per service, https://github.com/apereo/cas/commit/90e770fb9d04877c58f569b4dab28e97422d62ef , I reported it with a pull request not to long ago and someone else also added a fix for Rest, I am assuming others will come along soon enough. This now works in current 6.5.x as it was backported , https://github.com/apereo/cas/commit/ab0e3d547417c97373200463b42c777abc2a61c5 .
Some of the MFA providers have the option, cas.authn.mfa.provider_name.multiple-device-registration-enabled which set to true or false to allow multiple registrations, you could look into that for the providers you are using. On Friday, April 15, 2022 at 4:52:04 AM UTC-5 Marcin Roman wrote: > We have exactly the same problem. > It would be great to have similar workflow to the google mfa. > > I experimented with webauthn and simple mfa. The problem is that the mfa > provider selection menu shows all providers without respecting the > providers's groovy bypass. > Also you can only use provider selection menu with the global mfa trigger. > > On Friday, April 15, 2022 at 2:44:30 AM UTC+2 [email protected] wrote: > >> Hi, >> Are there any documents about the flow of control when using MFA? >> We have configured CAS to optionally show MFA options when the user logs >> in, and this works, but there are a number of problems we would like to >> address, and are unsure how this should work in CAS. >> >> The flow we have at the moment is: >> 1. User requests to enable MFA >> 2. User is logged out and taken to the CAS login page >> 3. User has to configure MFA >> 4. User is now logged in. >> >> This is somewhat acceptable, but we would prefer to allow users to >> configure MFA when they are already logged in and not force them to login >> again. Is this possible? >> >> The main problem we have is that once MFA is configured, and the user >> logs is and is presented with the MFA check, they always have the option to >> configure another MFA device (we are using at the moment). This defeats the >> purpose of MFA, as if the user's password is compromised, the attacker can >> just configure another device. We are trying and failing to understand how >> this should be configured. >> >> I would be grateful for any pointers. >> Thanks in advance. >> Rob >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6addeb9d-7a16-4f7b-8a4a-a49bf7265754n%40apereo.org.
