Hi all, I am using CAS 6.1.7.2 version. I have an *"issue"* with *"MFA"* feature, especially the *"bypass"* one. *I activated the Multifactor Authentication by using cas configuration "globalProviderId".
Here is the use case: 1. Call endpoint /login with parameter service=serviceWithoutMFA(no MFA requested for this service) 2. Call again (with valid TGT session) endpoint /login with parameter serviceMFA (which should trigger MFA) ** Expected behaviour*: application triggers MFA ** Observed behaviour* : application bypasses MFA - Tests realized with two different MFA providers and two different versions of CAS : same result. - CAS versions : 5.3.16, 6.1.7.2 - Providers : *GAUTH* provided by CAS, *OTP* which is a custom one. Could this be a bug in the implementation or simply the expected behaviour from the standard ? I also noticed that the gateway parameter is not evaluated when the subflow MFA is executed. It's only done in the main flow (after subflow exit) ? Thank you for your Help. best regards, Lamia -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5c40dc5-4c9a-4506-ab95-8798cdcfefc0n%40apereo.org.