(CAS 6.6.x)
The documentation suggests that in the
SurrogatedRegisteredServiceAccessStrategies that the
attributes/principal being evaluated is the "primary" user (Specifically
it says: "Decide whether the primary user is tagged with enough
attributes and entitlements to allow impersonation to execute" and the
example attribute is a givenName of "Administrator"), which I understood
to be the person doing the impersonating (aka, "admin" in the test+admin
construction).
However, in my tests of both the Groovy and Attribute flavors of the
strategy, the attributes and principals being evaluated are those of the
account being impersonated ("test" in the test+admin construction). I've
reproduced this in a very trimmed down environment, so I don't think
it's a quirk of my config.
Which account's attributes are supposed to be evaluated and/or exposed
to the groovy script? And if it is meant to be the surrogate, are there
any hints on how to resolve attributes for the primary account for use
in the groovy script strategy - it'd be helpful in my environment if we
could make access decisions based on the primary account's attributes.
Thanks in advance,
Matt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4b2a428-39d3-944b-d079-0a5e1ae66383%40fastmail.net.
