Thank you both for the help! I was able to get it working, albeit with the
REST version rather than LDAP. The JSON version would probably work as well.
#========================================
# LDAP ATTRIBUTE REPOSITORY
#========================================
cas.person-directory.active-attribute-repository-ids=attributes
cas.person-directory.attribute-resolution-enabled=true
cas.person-directory.principalAttribute=sAMAccountName
cas.person-directory.return-null=false
cas.person-directory.principal-resolution-failure-fatal=true
cas.person-directory.use-existing-principal-id=false
cas.authn.attribute-repository.core.default-attributes-to-release=cn,givenName,sn,displayName,affiliation
cas.authn.attribute-repository.ldap[0].id=attributes
cas.authn.attribute-repository.ldap[0].order=0
cas.authn.attribute-repository.ldap[0].binary-attributes.objectGUID=objectGUID
cas.authn.attribute-repository.ldap[0].attributes.userPrincipalName=userPrincipalName
cas.authn.attribute-repository.ldap[0].attributes.dn=distinguishedName
cas.authn.attribute-repository.ldap[0].attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.sAMAccountName=sAMAccountName
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf
cas.authn.attribute-repository.ldap[0].connectTimeout=PT3S
cas.authn.attribute-repository.ldap[0].baseDn=[base_dn]
cas.authn.attribute-repository.ldap[0].subtreeSearch=true
cas.authn.attribute-repository.ldap[0].searchFilter=(sAMAccountName={user})
cas.authn.attribute-repository.ldap[0].bindDn=[bind_user]
cas.authn.attribute-repository.ldap[0].bindCredential=[bind_password]
cas.authn.attribute-repository.ldap[0].ldap-url=[ldap_url]
#========================================
# Impersonation / Surrogate Authentication
#========================================
cas.authn.surrogate.rest.url=[url]
cas.authn.surrogate.principal.active-attribute-repository-ids=attributes
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.principal-attribute=sAMAccountName
cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
On Thursday, November 24, 2022 at 12:36:30 AM UTC-5 [email protected]
wrote:
> Try this as well.
>
> https://fawnoos.com/2018/05/07/cas-impersonation-authn/
>
> -Jeff
>
> On Wed, Nov 23, 2022 at 8:21 PM Matthew Gordon <[email protected]> wrote:
>
>> Thank you Jonathon.
>>
>> On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote:
>>
>>> Hi Matt,
>>>
>>> That is the entirety of our surrogate configuration. CAS will return
>>> the surrogate user attributes, not the authenticated user.
>>>
>>> Jonathon
>>>
>>> On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon <[email protected]> wrote:
>>>
>>>> Also does it return the surrogate users attributes, or the
>>>> authenticated users attributes?
>>>>
>>>> Thank you,
>>>> Matt
>>>>
>>>> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
>>>>
>>>>> Thank you Jonathon. I will have to look at doing it via LDAP. I was
>>>>> just trying to do it via a local JSON file. Is that the entirety of your
>>>>> surrogate config?
>>>>>
>>>>> Thank you,
>>>>> Matt
>>>>>
>>>>> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>>>>>
>>>>>> Not sure if this helps, but we use impersonation with LDAP and we did
>>>>>> not have to use a groovy script. We are on 6.5.8. Here's an example of
>>>>>> our configuration:
>>>>>>
>>>>>> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server>
>>>>>> cas.authn.surrogate.ldap.base-dn=.....
>>>>>> # this filter gets the attributes of the account being impersonated
>>>>>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
>>>>>> ={0})))
>>>>>> cas.authn.surrogate.ldap.bind-dn=<bind_dn>
>>>>>> cas.authn.surrogate.ldap.bind-credential=<bind_pwd>
>>>>>> cas.authn.surrogate.ldap.use-start-tls=true
>>>>>>
>>>>>> # this is the format of the group that a person has to be in
>>>>>> # in order to impersonate the 'surrogate'
>>>>>> cas.custom.properties.surrogate-format=cn=group-{surrogate}
>>>>>> # this builds the list of authorized accounts for impersonation
>>>>>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(
>>>>>> isMemberOf=${cas.custom.properties.surrogate-format}))
>>>>>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
>>>>>> # this extracts the 'friendly' name of the account to be impersonated
>>>>>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn
>>>>>> =group-([^,]+)
>>>>>>
>>>>>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> I am using only LDAP (AD) as my attribute repository.
>>>>>>>
>>>>>>>
>>>>>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>>>>>>
>>>>>>> I am trying to get it to resolved the impersonated users attributes,
>>>>>>> but no luck.
>>>>>>>
>>>>>>> It appears that I have to have a groovy script:
>>>>>>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>>>>>>
>>>>>>> Here is my config so far:
>>>>>>>
>>>>>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>>>>>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>>>>>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>>>>>>>
>>>>>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>>>>>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>>>>>>
>>>>>>> If I do need the groovy script, which since it appears to be
>>>>>>> required, what should it be doing? Any examples?
>>>>>>>
>>>>>>> I can login and the impersonation works, but without attributes it's
>>>>>>> pretty useless.
>>>>>>>
>>>>>>> Thank you,
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "CAS Community" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to [email protected].
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>>>>>>
>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jonathon Taylor
>>>>>> Information Security Office
>>>>>> [email protected]
>>>>>>
>>>>>
>>>
>>> --
>>> Jonathon Taylor
>>> Information Security Office
>>> [email protected]
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>>
> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/896992fc-696c-458c-953a-014aa12e8016n%40apereo.org.
