[cas-user] CAS 7.2 – Per Application MFA Trigger does not execute GAuth registration flow (QR), while Global MFA works correctly

[Christian]

Hello,

I am implementing *Per Application – Multifactor Authentication Triggers* 
in CAS 7.1.5 using Google Authenticator (mfa-gauth) with MongoDB token 
storage.

The module used is:
implementation "org.apereo.cas:cas-server-support-gauth-mongo" 

Google Authenticator configuration in cas.properties (issuer, label, crypto 
keys, mongo, etc.) is correctly set up. The flow works properly when using 
*Global 
Multifactor Authentication Trigger*.
------------------------------
Per Application configuration 

The registered service contains:
"multifactorPolicy" : { "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", 
"multifactorAuthenticationProviders" : [ "mfa-gauth" ], "bypassEnabled" : 
false, "forceExecution" : true } 
------------------------------
Problem 

When using *Per Application MFA Trigger*:

   - 
   
   If the user already has a registered TOTP token → MFA works correctly.
   - 
   
   If the user does NOT have a registered device → CAS grants login 
   directly.
   - 
   
   The Google Authenticator registration flow (QR page) is NOT triggered.
   - 
   
   Logs only show SERVICE_TICKET_CREATED.
   
However, when configuring *Global Multifactor Authentication Trigger*, the 
behavior is correct:

   - 
   
   If the user has no registered device → CAS redirects automatically to 
   the QR registration flow.
   - 
   
   MFA is properly enforced.
   
------------------------------
Expected behavior 

I would expect Per Application MFA to behave the same way:

   - 
   
   Trigger device registration flow when no device exists.
   - 
   
   Prevent service ticket issuance until MFA registration is completed.
   
------------------------------
Question 

Is this the expected behavior of Per Application MFA in CAS 7.1.5?
Is there any additional property or configuration required to force device 
registration when MFA is defined at the service level?

Here are my cas.properties settings:
cas.authn.mfa.gauth.id=mfa-gauth
cas.authn.mfa.gauth.core.issuer=CAS
cas.authn.mfa.gauth.core.label=Junta de Andalucía
cas.authn.mfa.gauth.crypto.encryption.key
=6t1qRsYDqCtFIgrpOzfQLMOMOpxgRICaOX0VV3fBT1aoK4BLuLrPU8fIsmFv0UhcwrWhHSWnCu5tbhJX3YzRbg
cas.authn.mfa.gauth.crypto.signing.key
=hBjeTTDTkKVr4uHB9og_M0GPQ01TcmywTRTE4fFWr0fdt87S3y6VyI76PG4ZqIQaVA1BKn3CFwq1cyGtuKYm2Q

cas.authn.mfa.gauth.mongo.client-uri= #MY MONGODB#
cas.authn.mfa.gauth.mongo.token-collection=gauth_tokens

Thank you.

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f3e9218-7862-4a23-b31a-32da7a089eb4n%40apereo.org.