Hi Christian,
I have quite the same configuration as yours in service/cas.properties
(except mongo).
Is this the right service matched ? Do you have those lines in DEBUG mode :
DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing
service in context scope: [https://urlmyservice...]>#033[m
[2026-02-19 09:48:33] [info] #033[36m2026-02-19 09:48:33,901 DEBUG
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing
registered service [^h https://urlmyservice... .*] with id
[your_exact_service_id_here] in context scope>#033[m
Could another service be matching your request before this one ? (even a
disabled service would do that ...)
(and just in case, you have a typo in your service definition : "_class"
vs "@class")
Regards
Le mercredi 18 février 2026 à 14:59:11 UTC+1, Christian a écrit :
> Hi Frédéric,
>
> Thank you for your previous response.
>
> I am currently running CAS 7.2.7, which (as mentioned) should already
> include the corrected behavior for Per-Application MFA triggers.
>
> I have configured my registered service in MongoDB with the following
> multifactorPolicy:
>
> multifactorPolicy : {
> "_class" :
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "multifactorAuthenticationProviders" : [
> "java.util.LinkedHashSet",
> [
>
>
> "mfa-gauth"
> ]
> ],
> "bypassEnabled" : false,
> "forceExecution" : true
> }
>
> The Google Authenticator configuration in cas.properties remains the same
> (issuer, label, crypto keys, Mongo token storage, etc.).
>
> However, the behavior is still the following:
>
> -
>
> When I access:
> http://localhost:8080/cas/login?service=MyService
> -
>
> I enter username and password
> -
>
> CAS immediately grants a service ticket
> -
>
> The Google Authenticator MFA screen is NOT shown
> -
>
> If the user does not have a registered device, the registration (QR)
> flow is not triggered
>
> If I enable Global MFA Trigger instead, everything works correctly:
>
> -
>
> Users without a registered device are redirected to the registration
> flow
> -
>
> MFA is properly enforced before issuing the service ticket
>
> So even on 7.2.7, Per-Application MFA does not appear to enforce device
> registration.
>
> My questions are:
>
> 1.
>
> Is there any additional configuration required in 7.2.7 to force
> device registration when MFA is defined at the service level?
> 2.
>
> Does Per-Application MFA require a specific trigger configuration
> beyond the multifactorPolicy block?
> 3.
>
> Could this be related to Account Management being enabled?
>
> Thank you for your help.
>
> Best regards,
> Christian
> El martes, 17 de febrero de 2026 a las 15:27:58 UTC+1, Frédéric Dussurget
> escribió:
>
>> Hi Christian,
>> just in case, 7.3 (and I think 7.2 too, as you mentioned in your title)
>> perApplication MFA trigger has the behavior you're looking for.
>> In cas you're using the native cas account manager (aka the palantir
>> thing) CasFeatureModule.AccountManagement.enabled: true : you can not
>> handle the /cas/login url within a service, it won't be matched by any
>> service, so mfa- won't be triggered by a service and users will access
>> directly to their mfa devices manager wich might be a problem.
>> regards,
>>
>>
>>
>>
>> Le lundi 16 février 2026 à 14:55:22 UTC+1, Christian a écrit :
>>
>>> Hello,
>>>
>>> I am implementing *Per Application – Multifactor Authentication
>>> Triggers* in CAS 7.1.5 using Google Authenticator (mfa-gauth) with
>>> MongoDB token storage.
>>>
>>> The module used is:
>>> implementation "org.apereo.cas:cas-server-support-gauth-mongo"
>>>
>>> Google Authenticator configuration in cas.properties (issuer, label,
>>> crypto keys, mongo, etc.) is correctly set up. The flow works properly when
>>> using *Global Multifactor Authentication Trigger*.
>>> ------------------------------
>>> Per Application configuration
>>>
>>> The registered service contains:
>>> "multifactorPolicy" : { "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>>> "multifactorAuthenticationProviders" : [ "mfa-gauth" ], "bypassEnabled" :
>>> false, "forceExecution" : true }
>>> ------------------------------
>>> Problem
>>>
>>> When using *Per Application MFA Trigger*:
>>>
>>> -
>>>
>>> If the user already has a registered TOTP token → MFA works
>>> correctly.
>>> -
>>>
>>> If the user does NOT have a registered device → CAS grants login
>>> directly.
>>> -
>>>
>>> The Google Authenticator registration flow (QR page) is NOT
>>> triggered.
>>> -
>>>
>>> Logs only show SERVICE_TICKET_CREATED.
>>>
>>> However, when configuring *Global Multifactor Authentication Trigger*,
>>> the behavior is correct:
>>>
>>> -
>>>
>>> If the user has no registered device → CAS redirects automatically
>>> to the QR registration flow.
>>> -
>>>
>>> MFA is properly enforced.
>>>
>>> ------------------------------
>>> Expected behavior
>>>
>>> I would expect Per Application MFA to behave the same way:
>>>
>>> -
>>>
>>> Trigger device registration flow when no device exists.
>>> -
>>>
>>> Prevent service ticket issuance until MFA registration is completed.
>>>
>>> ------------------------------
>>> Question
>>>
>>> Is this the expected behavior of Per Application MFA in CAS 7.1.5?
>>> Is there any additional property or configuration required to force
>>> device registration when MFA is defined at the service level?
>>>
>>> Here are my cas.properties settings:
>>> cas.authn.mfa.gauth.id=mfa-gauth
>>> cas.authn.mfa.gauth.core.issuer=CAS
>>> cas.authn.mfa.gauth.core.label=Junta de Andalucía
>>> cas.authn.mfa.gauth.crypto.encryption.key
>>> =6t1qRsYDqCtFIgrpOzfQLMOMOpxgRICaOX0VV3fBT1aoK4BLuLrPU8fIsmFv0UhcwrWhHSWnCu5tbhJX3YzRbg
>>> cas.authn.mfa.gauth.crypto.signing.key
>>> =hBjeTTDTkKVr4uHB9og_M0GPQ01TcmywTRTE4fFWr0fdt87S3y6VyI76PG4ZqIQaVA1BKn3CFwq1cyGtuKYm2Q
>>>
>>> cas.authn.mfa.gauth.mongo.client-uri= #MY MONGODB#
>>> cas.authn.mfa.gauth.mongo.token-collection=gauth_tokens
>>>
>>> Thank you.
>>>
>>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/12359729-3125-41a3-9341-416eb31b7a20n%40apereo.org.
