Multifactor Authentication - Failure Modes

CAS will consult the current configuration in the event that the provider being requested is unreachable to determine how to proceed.
The failure mode can be configured at these locations and CAS will use the first defined failure mode in this order:

If no actionable failure mode is encountered the user will be shown a generic “Authentication Failed” message.

Per Service

Failure mode for a given application can be set as part of the multifactorPolicy of the service definition, which will override a failure a mode set at any other location.

1
2
3
4
5
6
7
8
9
10
{
  "@class" : "org.apereo.cas.services.CasRegisteredService",
  "serviceId" : "^(https|imaps)://.*",
  "id" : 100,
  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
    "failureMode" : "CLOSED"
  }
}

The following failure modes can be accepted:

Mode Description
OPEN Disallow MFA, proceed with authentication but don’t communicate MFA status/context to the relying party.
CLOSED Disallow MFA and block authentication.
PHANTOM Disallow MFA, proceed with authentication and communicate MFA to the relying party.
NONE “I am Feeling lucky” option where CAS would not check for failure at all.
UNDEFINED The default one indicating that no failure mode is set at all.