Hi Frédéric,
Thank you for your previous response.
I am currently running CAS 7.2.7, which (as mentioned) should already
include the corrected behavior for Per-Application MFA triggers.
I have configured my registered service in MongoDB with the following
multifactorPolicy:
multifactorPolicy : {
"_class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [
"java.util.LinkedHashSet",
[
"mfa-gauth"
]
],
"bypassEnabled" : false,
"forceExecution" : true
}
The Google Authenticator configuration in cas.properties remains the same
(issuer, label, crypto keys, Mongo token storage, etc.).
However, the behavior is still the following:
-
When I access:
http://localhost:8080/cas/login?service=MyService
-
I enter username and password
-
CAS immediately grants a service ticket
-
The Google Authenticator MFA screen is NOT shown
-
If the user does not have a registered device, the registration (QR)
flow is not triggered
If I enable Global MFA Trigger instead, everything works correctly:
-
Users without a registered device are redirected to the registration flow
-
MFA is properly enforced before issuing the service ticket
So even on 7.2.7, Per-Application MFA does not appear to enforce device
registration.
My questions are:
1.
Is there any additional configuration required in 7.2.7 to force device
registration when MFA is defined at the service level?
2.
Does Per-Application MFA require a specific trigger configuration beyond
the multifactorPolicy block?
3.
Could this be related to Account Management being enabled?
Thank you for your help.
Best regards,
Christian
El martes, 17 de febrero de 2026 a las 15:27:58 UTC+1, Frédéric Dussurget
escribió:
> Hi Christian,
> just in case, 7.3 (and I think 7.2 too, as you mentioned in your title)
> perApplication MFA trigger has the behavior you're looking for.
> In cas you're using the native cas account manager (aka the palantir
> thing) CasFeatureModule.AccountManagement.enabled: true : you can not
> handle the /cas/login url within a service, it won't be matched by any
> service, so mfa- won't be triggered by a service and users will access
> directly to their mfa devices manager wich might be a problem.
> regards,
>
>
>
>
> Le lundi 16 février 2026 à 14:55:22 UTC+1, Christian a écrit :
>
>> Hello,
>>
>> I am implementing *Per Application – Multifactor Authentication Triggers*
>> in CAS 7.1.5 using Google Authenticator (mfa-gauth) with MongoDB token
>> storage.
>>
>> The module used is:
>> implementation "org.apereo.cas:cas-server-support-gauth-mongo"
>>
>> Google Authenticator configuration in cas.properties (issuer, label,
>> crypto keys, mongo, etc.) is correctly set up. The flow works properly when
>> using *Global Multifactor Authentication Trigger*.
>> ------------------------------
>> Per Application configuration
>>
>> The registered service contains:
>> "multifactorPolicy" : { "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>> "multifactorAuthenticationProviders" : [ "mfa-gauth" ], "bypassEnabled" :
>> false, "forceExecution" : true }
>> ------------------------------
>> Problem
>>
>> When using *Per Application MFA Trigger*:
>>
>> -
>>
>> If the user already has a registered TOTP token → MFA works correctly.
>> -
>>
>> If the user does NOT have a registered device → CAS grants login
>> directly.
>> -
>>
>> The Google Authenticator registration flow (QR page) is NOT triggered.
>> -
>>
>> Logs only show SERVICE_TICKET_CREATED.
>>
>> However, when configuring *Global Multifactor Authentication Trigger*,
>> the behavior is correct:
>>
>> -
>>
>> If the user has no registered device → CAS redirects automatically to
>> the QR registration flow.
>> -
>>
>> MFA is properly enforced.
>>
>> ------------------------------
>> Expected behavior
>>
>> I would expect Per Application MFA to behave the same way:
>>
>> -
>>
>> Trigger device registration flow when no device exists.
>> -
>>
>> Prevent service ticket issuance until MFA registration is completed.
>>
>> ------------------------------
>> Question
>>
>> Is this the expected behavior of Per Application MFA in CAS 7.1.5?
>> Is there any additional property or configuration required to force
>> device registration when MFA is defined at the service level?
>>
>> Here are my cas.properties settings:
>> cas.authn.mfa.gauth.id=mfa-gauth
>> cas.authn.mfa.gauth.core.issuer=CAS
>> cas.authn.mfa.gauth.core.label=Junta de Andalucía
>> cas.authn.mfa.gauth.crypto.encryption.key
>> =6t1qRsYDqCtFIgrpOzfQLMOMOpxgRICaOX0VV3fBT1aoK4BLuLrPU8fIsmFv0UhcwrWhHSWnCu5tbhJX3YzRbg
>> cas.authn.mfa.gauth.crypto.signing.key
>> =hBjeTTDTkKVr4uHB9og_M0GPQ01TcmywTRTE4fFWr0fdt87S3y6VyI76PG4ZqIQaVA1BKn3CFwq1cyGtuKYm2Q
>>
>> cas.authn.mfa.gauth.mongo.client-uri= #MY MONGODB#
>> cas.authn.mfa.gauth.mongo.token-collection=gauth_tokens
>>
>> Thank you.
>>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80d7fdbd-d8c5-4bad-ba5c-c242bcd0e6c8n%40apereo.org.
