WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Multifactor Authentication Triggers
Triggers can be used to activate and instruct CAS to navigate to a multifactor authentication flow. Each trigger should properly try to ignore the authentication request, if applicable configuration is not found for its activation and execution. Also note that various CAS modules present and inject their own internal triggers into the CAS application runtime in order to translate protocol-specific authentication requests (such as those presented by SAML2 or OpenID Connect) into multifactor authentication flows.
Most multifactor authentication
triggers require that the original authentication request submitted to CAS contain
a service
parameter. Failure to do so will result in an initial successful
authentication attempt where subsequent requests that carry the relevant parameter
will elevate the authentication context and trigger multifactor later. If you
need to test a particular trigger, remember to provide the service
parameter appropriately to see the trigger in action.
The trigger machinery in general should be completely oblivious to multifactor authentication; all it cares about is finding the next event in the chain in a very generic way. This means that it is technically possible to combine multiple triggers each of which may produce a different event in the authentication flow. In the event, having selected a final candidate event, the appropriate component and module that is able to support and respond to the produced event will take over and route the authentication flow appropriately.
The following triggers are available:
Trigger | Description |
---|---|
Global | See this page. |
Per Application | See this page. |
Groovy Per Application | See this page. |
Global Principal Attribute | See this page. |
Global Principal Attribute Predicate | See this page. |
Global Authentication Attribute | See this page. |
Adaptive | See this page. |
Grouper | See this page. |
Groovy | See this page. |
REST | See this page. |
Opt-In Request Parameter/Header | See this page. |
Principal Attribute Per Application | See this page. |
Entity Id Request Parameter | See this page. |
Custom | See this page. |