Checking that the user logged in using MFA

Your application can surmise whether a person used Duo MFA during UH Login (CAS) authentication by checking that uhReleasedGrouping has this value:

• hawaii.edu:store:uhims:general:mfa-enabled

You can display this page if someone isn't using MFA

If you require MFA and the user hasn't done it, your application can redirect to our generic MFA-required page (after ensuring that the user doesn't have a session in your application, of course):

• https://www.hawaii.edu/its/mfa-required.html

WARNINGS:

• This MFA-detection mechanism is not supported for departmental usernames or other non-personal usernames.

• A future version of CAS may return information about whether MFA was actually exercised, and that should work for all usernames, even departmental ones. However, the above grouping still won't work for non-personal usernames.  That's because grouping members are people, not usernames.  Still, the hawaii.edu:store:uhims:general:mfa-enabled  grouping will remain available because it is a useful tool for verifying compliance with MFA registration or for those who still prefer to surmise MFA as currently being done.

• Make sure you are not using the deprecated mfa-enrolled value for uhReleasedGrouping.  It was removed on 2/5/2019.