I can't speak to 5.1.x, we've been experimenting with surrogate since 5.2 and only using it actively since 5.3.
I can say that any user can be a surrogate, it is not restricted to admin users. The only restriction is the authorization. We use a REST endpoint to authorize surrogate requests. Our POM includes both the surrogate-workflow and surrogate-authentication-rest dependencies. Could you need another dependency to enable the actual authorization? When working on a proof of concept, I used a json file. It seemed to provide more flexibility. If the primary user authentication succeeds, then CAS will need to resolve attributes for the given target. If CAS cannot identify the given target, I'm not sure what to expect in the logs. A useful test is to use the form '+primary_username' which, if the user is authorized, will show a list of the users eligible for impersonation. Also keep in mind that not all properties can be applied on the fly. Some changes in the cas.properties file require a restart. -dirk On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson < gibson_br...@wheatoncollege.edu> wrote: > Hi all, > > Couple of questions regarding Surrogate Authentication.... > > 1. Does the user that logs in have to also be a CAS admin? I'd like to map > a specific non-admin user to another non-admin user. > > 2. If I am using LDAP authentication in CAS 5.1.2 do I have to do the > surrogate mapping via LDAP as well? I've pulled in the surrogate dependency > in my pom.xml file and added this to my cas.properties file... > > cas.authn.surrogate.separator=+ > cas.authn.surrogate.simple.surrogates.casuser=mary,bob > > I thought I could then put "mary+bob" in the username field along with > bob's password and I'd be logged in as mary but I just end up getting > logged in as bob with nothing mentioned about mary in the log files. > > Thanks for any help you can provide. > > > On 1/9/2019 9:29 PM, Tepe, Dirk wrote: > > We are successfully using surrogate authentication with CAS 5.3.x. > Beginning with 5.3.0, the CAS audit log includes the surrogate > authorization details, which was important for our ISO. There were some > bumps and changes related to attribute release in the 5.3.x releases, so > beware. > > -dirk > > On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson < > gibson_br...@wheatoncollege.edu> wrote: > >> I think that's it! >> >> Thanks, I'll do some testing and report back. >> >> Appreciate your help. >> >> >> On 1/9/2019 4:29 PM, David Curry wrote: >> >> I've never played with it myself, but isn't this: >> >> >> https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html >> >> what you're talking about? >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> THE NEW SCHOOL • INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • david.cu...@newschool.edu >> >> >> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson < >> gibson_br...@wheatoncollege.edu> wrote: >> >>> Hi all, >>> >>> Is there a way within a service entry in CAS 5.1 to say that if person A >>> logs in successfully, send them to the service as person B? >>> >>> I checked the 5.1 service-related docs but couldn't find anything. >>> >>> Thanks, >>> >>> Brian >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu >>> . >>> >> >> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson < >> gibson_br...@wheatoncollege.edu> wrote: >> >>> Hi all, >>> >>> Is there a way within a service entry in CAS 5.1 to say that if person A >>> logs in successfully, send them to the service as person B? >>> >>> I checked the 5.1 service-related docs but couldn't find anything. >>> >>> Thanks, >>> >>> Brian >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com.
