Hi Yan
I did quite the same thing. I'm just curious : How are your users
registering their mfa methods and devices ?
In my case, a user is autonomous and is able to register mfa devices (gauth
and webauthn) on his own thru the account manager.
Then I'm using bypass groovy scripts to check if he has registered at least
one device for each mfa provider. He's got the mfa selection menu if he has
Registered at least one provider. To do so I used thoses endpoints for both
groovy bypass scripts :
/cas/actuator/gauthCredentialRepository/${userId}
/cas/actuator/webAuthnDevices/${userId}
(notice that those endpoints are protected by acls in
cas.monitor.endpoints.endpoint.gauthCredentialRepository/webAuthnDevices/multifactorTrustedDevices.access
allowing requests only from localhost for security purposes)
This way the user choose when to activate his own providers and he does not
have to access an external portal to activate mfa, or, that admins force
this behavior for a user thru the attributeRepository.
Cons : When a user has registered only one mfa provider, the mfa provider
selector selection menu is still popping out. If anybody knows a trick … ;-)
Regards,
Le jeudi 15 janvier 2026 à 18:01:32 UTC+1, Yan Zhou a écrit :
> I figured it out, if MFA Provider Ranks are specified, OR if there is
> Groovy script that serves as MFA Provider Trigger, MFA-provider-selection
> is No longer available. That is OK, what I did is 1) Not to specify MFA
> provider ranking 2) Not using Groovy for triggers, instead, on each MFA
> provider, use Groovy bypass script, MFA is skipped if user does Not support
> the given provider. This is now working correctly for the initial login,
> i.e., user is presented with the MFA providers that he has configured
> earlier.
>
> I assume my understanding is correct? that is, Triggers and Provider
> Selection cannot co-exist, only one can be specified?
> On Wednesday, January 14, 2026 at 5:34:28 PM UTC-5 Ray Bon wrote:
>
>> Could you display a list on a page and have the user select one?
>>
>> Ray
>> ------------------------------
>> *From:* [email protected] <[email protected]> on behalf of Yan Zhou <
>> [email protected]>
>> *Sent:* January 14, 2026 12:30
>> *To:* CAS Community <[email protected]>
>> *Subject:* [cas-user] how to implement: move to next MFA provider?
>>
>> Hello,
>>
>> CAS 7.3.1 overlay. At user level, there are principal attribute indicate
>> the MFA options user prefers, for instance, ["mfa-simple", "mfa-gauth"],
>> this user can do both simpl-mfa and Google Authenticator.
>>
>> During MFA login, I wish to implement this: if one MFA provider fails,
>> move to the next MFA Provider that the user supports. For instance,
>> "simple-mfa" fails because user is Unable to get OTP via SMS or Email, he
>> can click "Next MFA provider" and move to "mfa-gauth".
>>
>> Looking at CasSimpleMultifactorWebflowConfigurer, I do No t know how to
>> tell CAS webflow that mfa-simple has failed and move to the next MFA
>> Provider.
>>
>> I am using Groovy to determine which MFA provider to activate for the
>> user:
>>
>> cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location
>> =classpath:mfaProviderPredicate.groovy
>>
>> thx,
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc216735-7739-48f3-b4bf-1ef331b36591n%40apereo.org.
