Hi everyone,
Dirk, thanks for all the suggestions, I 'think' I am close. I created
the c:\etc\cas\config\surrogates.json file and it looks like this...
{
"bob": ["mary", "jim"]
}
and I am referencing the surrogates.json file from my cas.properties
file like this...
cas.authn.surrogate.separator=+
cas.authn.surrogate.json.config.location=file:/etc/cas/config/surrogates.json
When I go to log into a service I enter "mary+bob" in the username field
along with bob's password and I get taken to the service successfully as
bob (unfortunately not mary) and this is what I see in the logs...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WHO: (Real user: [bob], Surrogate user: [mary])
WHAT: Supplied credentials: [[surrogateUsername=mary]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 22 16:14:47 EST 2019
CLIENT IP ADDRESS: <HIDDEN>
SERVER IP ADDRESS: <HIDDEN>
2019-01-22 16:14:47,559 */WARN
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] -
<Authentication attribute [samlAuthenticationStatementAuthMethod] has no
value and is not collected>/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Any ideas on what I'm missing? I don't think I need the
surrogate-authentication-rest dependencies since I believe that has to
do with building a web page with surrogate users to choose from and in
our case we are explicitly referencing the target's name with the
personA+PersonB syntax.
Thanks!
On 1/11/2019 9:07 AM, Tepe, Dirk wrote:
I can't speak to 5.1.x, we've been experimenting with surrogate since
5.2 and only using it actively since 5.3.
I can say that any user can be a surrogate, it is not restricted to
admin users. The only restriction is the authorization.
We use a REST endpoint to authorize surrogate requests. Our POM
includes both the surrogate-workflow and surrogate-authentication-rest
dependencies. Could you need another dependency to enable the actual
authorization? When working on a proof of concept, I used a json file.
It seemed to provide more flexibility.
If the primary user authentication succeeds, then CAS will need to
resolve attributes for the given target. If CAS cannot identify the
given target, I'm not sure what to expect in the logs. A useful test
is to use the form '+primary_username' which, if the user is
authorized, will show a list of the users eligible for impersonation.
Also keep in mind that not all properties can be applied on the fly.
Some changes in the cas.properties file require a restart.
-dirk
On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson
<gibson_br...@wheatoncollege.edu
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Couple of questions regarding Surrogate Authentication....
1. Does the user that logs in have to also be a CAS admin? I'd
like to map a specific non-admin user to another non-admin user.
2. If I am using LDAP authentication in CAS 5.1.2 do I have to do
the surrogate mapping via LDAP as well? I've pulled in the
surrogate dependency in my pom.xml file and added this to my
cas.properties file...
cas.authn.surrogate.separator=+
cas.authn.surrogate.simple.surrogates.casuser=mary,bob
I thought I could then put "mary+bob" in the username field along
with bob's password and I'd be logged in as mary but I just end up
getting logged in as bob with nothing mentioned about mary in the
log files.
Thanks for any help you can provide.
On 1/9/2019 9:29 PM, Tepe, Dirk wrote:
We are successfully using surrogate authentication with CAS
5.3.x. Beginning with 5.3.0, the CAS audit log includes the
surrogate authorization details, which was important for our ISO.
There were some bumps and changes related to attribute release in
the 5.3.x releases, so beware.
-dirk
On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson
<gibson_br...@wheatoncollege.edu
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
I think that's it!
Thanks, I'll do some testing and report back.
Appreciate your help.
On 1/9/2019 4:29 PM, David Curry wrote:
I've never played with it myself, but isn't this:
https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html
what you're talking about?
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL• INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
<mailto:david.cu...@newschool.edu>
On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson
<gibson_br...@wheatoncollege.edu
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Is there a way within a service entry in CAS 5.1 to say
that if person A
logs in successfully, send them to the service as person B?
I checked the 5.1 service-related docs but couldn't find
anything.
Thanks,
Brian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to
the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
cas-user+unsubscr...@apereo.org
<mailto:cas-user%2bunsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.
On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson
<gibson_br...@wheatoncollege.edu
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
Is there a way within a service entry in CAS 5.1 to say
that if person A
logs in successfully, send them to the service as person B?
I checked the 5.1 service-related docs but couldn't find
anything.
Thanks,
Brian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to
the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
cas-user+unsubscr...@apereo.org
<mailto:cas-user%2bunsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu.
