Enforcing 2FA for subset of users

There are situations where you want to enforce two-factor authentication (2FA) only for some of your users instead of for all users of some application. CAS policy configuration can be refined to allow this. This feature is supported for CAS protocol, OAuth2.0 and OIDC.

Standard "everybody must use 2FA" configuration may look like this:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://iam.appliance.tld/idm.+",
  "name" : "CzechIdM",
  "id" : 200,
  "evaluationOrder" : 1
  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-simple" ] ],
    "failureMode" : "CLOSED",
  }
}

Suppose you want to allow access for ordinary users using only one authentication factor (login+password) and enforce 2FA (login+password and OTP token) for application administrators. Administrator account has, for example, an iamUserRole multi-valued attribute where one of the values is admin.

To enforce 2FA only for administrators, refine the multi-factor policy of the service as follows. Please note that value of the principalAttributeValueToMatch specifies regular expression, not the literal value.

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://iam.appliance.tld/idm.+",
  "name" : "CzechIdM",
  "id" : 200,
  "evaluationOrder" : 1,
  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-simple" ] ],
    "failureMode" : "CLOSED",
    "principalAttributeNameTrigger" : "iamUserRole",
    "principalAttributeValueToMatch" : "^admin$"
  }
}