Hi Matt, That is the entirety of our surrogate configuration. CAS will return the surrogate user attributes, not the authenticated user.
Jonathon On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon <[email protected]> wrote: > Also does it return the surrogate users attributes, or the authenticated > users attributes? > > Thank you, > Matt > > On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote: > >> Thank you Jonathon. I will have to look at doing it via LDAP. I was just >> trying to do it via a local JSON file. Is that the entirety of your >> surrogate config? >> >> Thank you, >> Matt >> >> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote: >> >>> Not sure if this helps, but we use impersonation with LDAP and we did >>> not have to use a groovy script. We are on 6.5.8. Here's an example of >>> our configuration: >>> >>> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server> >>> cas.authn.surrogate.ldap.base-dn=..... >>> # this filter gets the attributes of the account being impersonated >>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn >>> ={0}))) >>> cas.authn.surrogate.ldap.bind-dn=<bind_dn> >>> cas.authn.surrogate.ldap.bind-credential=<bind_pwd> >>> cas.authn.surrogate.ldap.use-start-tls=true >>> >>> # this is the format of the group that a person has to be in >>> # in order to impersonate the 'surrogate' >>> cas.custom.properties.surrogate-format=cn=group-{surrogate} >>> # this builds the list of authorized accounts for impersonation >>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})( >>> isMemberOf=${cas.custom.properties.surrogate-format})) >>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf >>> # this extracts the 'friendly' name of the account to be impersonated >>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+) >>> >>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> >>> wrote: >>> >>>> I am using only LDAP (AD) as my attribute repository. >>>> >>>> >>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution >>>> >>>> I am trying to get it to resolved the impersonated users attributes, >>>> but no luck. >>>> >>>> It appears that I have to have a groovy script: >>>> cas.authn.surrogate.principal.principal-transformation.groovy.location= >>>> >>>> Here is my config so far: >>>> >>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json >>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true >>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core >>>> >>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last >>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true >>>> >>>> If I do need the groovy script, which since it appears to be required, >>>> what should it be doing? Any examples? >>>> >>>> I can login and the impersonation works, but without attributes it's >>>> pretty useless. >>>> >>>> Thank you, >>>> Matt >>>> >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> Jonathon Taylor >>> Information Security Office >>> [email protected] >>> >> -- Jonathon Taylor Information Security Office [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-o_s%2BMUfnWpcVsQ4tNTm077hXHA1JWd9a6pajVBMBSkQ%40mail.gmail.com.
