Hi all,
I am using CAS 6.1.7.2 version.
I have an *"issue"* with *"MFA"* feature, especially the *"bypass"* one.
*I activated the Multifactor Authentication by using cas configuration
"globalProviderId".
Here is the use case:
1. Call endpoint /login with parameter service=serviceWithoutMFA(no MFA
requested for this service)
2. Call again (with valid TGT session) endpoint /login with parameter
serviceMFA (which should trigger MFA)
** Expected behaviour*: application triggers MFA
** Observed behaviour* : application bypasses MFA
- Tests realized with two different MFA providers and two different
versions of CAS : same result.
- CAS versions : 5.3.16, 6.1.7.2
- Providers : *GAUTH* provided by CAS, *OTP* which is a custom one.
Could this be a bug in the implementation or simply the expected behaviour
from the standard ?
I also noticed that the gateway parameter is not evaluated when the subflow
MFA is executed. It's only done in the main flow (after subflow exit) ?
Thank you for your Help.
best regards,
Lamia
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5c40dc5-4c9a-4506-ab95-8798cdcfefc0n%40apereo.org.
