Hi Christian,
just in case, 7.3 (and I think 7.2 too, as you mentioned in your title)
perApplication MFA trigger has the behavior you're looking for.
In cas you're using the native cas account manager (aka the palantir
thing) CasFeatureModule.AccountManagement.enabled: true : you can not
handle the /cas/login url within a service, it won't be matched by any
service, so mfa- won't be triggered by a service and users will access
directly to their mfa devices manager wich might be a problem.
regards,
Le lundi 16 février 2026 à 14:55:22 UTC+1, Christian a écrit :
> Hello,
>
> I am implementing *Per Application – Multifactor Authentication Triggers*
> in CAS 7.1.5 using Google Authenticator (mfa-gauth) with MongoDB token
> storage.
>
> The module used is:
> implementation "org.apereo.cas:cas-server-support-gauth-mongo"
>
> Google Authenticator configuration in cas.properties (issuer, label,
> crypto keys, mongo, etc.) is correctly set up. The flow works properly when
> using *Global Multifactor Authentication Trigger*.
> ------------------------------
> Per Application configuration
>
> The registered service contains:
> "multifactorPolicy" : { "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "multifactorAuthenticationProviders" : [ "mfa-gauth" ], "bypassEnabled" :
> false, "forceExecution" : true }
> ------------------------------
> Problem
>
> When using *Per Application MFA Trigger*:
>
> -
>
> If the user already has a registered TOTP token → MFA works correctly.
> -
>
> If the user does NOT have a registered device → CAS grants login
> directly.
> -
>
> The Google Authenticator registration flow (QR page) is NOT triggered.
> -
>
> Logs only show SERVICE_TICKET_CREATED.
>
> However, when configuring *Global Multifactor Authentication Trigger*,
> the behavior is correct:
>
> -
>
> If the user has no registered device → CAS redirects automatically to
> the QR registration flow.
> -
>
> MFA is properly enforced.
>
> ------------------------------
> Expected behavior
>
> I would expect Per Application MFA to behave the same way:
>
> -
>
> Trigger device registration flow when no device exists.
> -
>
> Prevent service ticket issuance until MFA registration is completed.
>
> ------------------------------
> Question
>
> Is this the expected behavior of Per Application MFA in CAS 7.1.5?
> Is there any additional property or configuration required to force device
> registration when MFA is defined at the service level?
>
> Here are my cas.properties settings:
> cas.authn.mfa.gauth.id=mfa-gauth
> cas.authn.mfa.gauth.core.issuer=CAS
> cas.authn.mfa.gauth.core.label=Junta de Andalucía
> cas.authn.mfa.gauth.crypto.encryption.key
> =6t1qRsYDqCtFIgrpOzfQLMOMOpxgRICaOX0VV3fBT1aoK4BLuLrPU8fIsmFv0UhcwrWhHSWnCu5tbhJX3YzRbg
> cas.authn.mfa.gauth.crypto.signing.key
> =hBjeTTDTkKVr4uHB9og_M0GPQ01TcmywTRTE4fFWr0fdt87S3y6VyI76PG4ZqIQaVA1BKn3CFwq1cyGtuKYm2Q
>
> cas.authn.mfa.gauth.mongo.client-uri= #MY MONGODB#
> cas.authn.mfa.gauth.mongo.token-collection=gauth_tokens
>
> Thank you.
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf64d562-8cb8-40f0-b072-1c9f46f00f65n%40apereo.org.
