I have implemented an /impersonate endpoint that our developers use on our dev server. Includes an imperosnate input field on login for the id to be impersonated. impersonators.json file list developers by their login id and each login id has a list of services they are allowed to impersonate. When developer logins to service with impersonate, the SSO session is set as their authentication and the service validate returns the id of the impersonation only when from new login. An error is displayed if the they try and impersonate a service they don't have access to.
If their is interest I can look into getting this merged, if surrogate can not be configured to fit the need. Travis On Fri, Oct 26, 2018 at 7:13 AM Christian Poirier <[email protected]> wrote: > Hi Guys, > > I am looking for someone who had the idea to implement the surrogate > authorization function based on service (Authentication Service). > I mean that services defined in Json files filter users who can > impersonalize. > Sample: > > cas.properties > cas.authn.surrogate.rest.method=GET > cas.authn.surrogate.rest.order=0 > cas.authn.surrogate.rest.caseInsensitive=false > cas.authn.surrogate.rest.basicAuthUsername=uid > cas.authn.surrogate.rest.basicAuthPassword=password > cas.authn.surrogate.rest.url= > https://rest.somewhere.org/surrogateController > > service.json > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId" : "testId", > "name" : "testId", > "id" : 1, > "accessStrategy" : { > "@class" : > "org.apereo.cas.services.SurrogateRegisteredServiceAccessStrategy", > "surrogateEnabled" : true, > "enabled": true, > "ssoEnabled": true > } > } > > And then the parameters sent to the REST Web API are serviceId, principal, > surrogateUser > > > I ask this because I have many applications and some users have access to > the surrogate authentication for some applications and other users have > access to other applications but not all. > > The way the functionnality is implemented in CAS is if two services use > the surrogate authentication, the users are common for the two services. > > Is it in the plan to add this functionality ? > > Christian Poirier > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Developer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/. > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
