Principal Attribute Per Application - Multifactor Authentication Triggers
As a hybrid option, MFA can be triggered for a specific application registered inside the CAS service registry, provided the authenticated principal carries an attribute that matches a configured attribute value. The attribute value can be an arbitrary regex pattern. See below to learn about how to configure MFA settings.
1
2
3
4
5
6
7
8
9
10
11
12
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"id" : 100,
"name": "test",
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
"principalAttributeNameTrigger" : "memberOf",
"principalAttributeValueToMatch" : "faculty|allMfaMembers"
}
}