That's exactly how it works - the first leg of authentication transaction happens (primary authentication), then a requirement for the second factor is computed from the resolved principal attribute. In your case it looks like the service authorization step fails to match the configured url with the actual service url provided, before even the mfa machinery kicks in.
Could you please post your configured registered service snippet along with the actual service url that you are passing in? Cheers, D. Sent from my iPhone > On Apr 10, 2015, at 17:01, Lazar, Michael E <[email protected]> wrote: > > Hello, > > I have read this section, configured an attribute in the properties file and > am trying to get this logic to fire. What I tried to do is change the > servicesRegistry.conf and made the regular expression not match > (https/imaps). However now when I give cas my URL with service attribute, cas > sends me to the “Application Not Authorized to use CAS” error view. > > My current list of authn-methods only includes one method for MFA we are > using, and when I add that authn_method attribute to the URL I get a login > prompt (so: working). > > Is there another method I need to add to configuration in order for CAS to > treat the login as a single-factor one (at least until this attribute is > queried for)? > > I would need the principle from the first-factor login to get ldap attributes > from and make the decision to require multi factor authentication. > > Thanks again, > -Michael. > > >Subject: Re: MFA option based on ldap attribute? > >From: Dmitriy Kopylenko <[email protected]> > >Date: Thu, 09 Apr 2015 16:55:48 -0400 > X-Message-Number: 4 > > > >Please see "Authentication Methods via Principal Attributes" section. > > > >Best, > >D. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
