CAS gateway mode

Cantor, Scott cantor.2 at
Sat Jun 11 00:10:51 UTC 2022

On 6/10/22, 8:06 PM, "users on behalf of YF Lai" <users-bounces at on behalf of ccyflai at> wrote:

>  Oops I am not aware this is an option to explicitly enable.   We used authn/MFA and
> idp.authn.MFA.passiveAuthenticationSupported is true by default.   Am I missing anything to support CAS
> gateway mode?

The MFA flow will default to making sure when it tries to run a login flow that that flow also supports that feature via that flag, so if one of them doesn't it will fail that attempt and log it. It's also possible to get it to not honor those settings and just run the flow regardless, but there's no real reason to most of the time, it's just a matter of getting those flows' passiveAuthenticationSupported flag set properly.

The only flows that can't really do passive support are things like X.509 or SPNEGO where the client is really in control of it.

-- Scott

More information about the users mailing list