On 5/4/23 3:31 PM, Ray Bon wrote:
> 2. release surrogate id [test] and surrogate attributes to application
> [groovy script] (i.e. as far as application is concerned, it only ever
> knows about surrogate, and nothing about admin)
So just to clarify, that means when the documentation here:
https://apereo.github.io/cas/6.6.x/authentication/Surrogate-Authentication-AccessStrategy.html
states
"Additionally, you may on a per-service level define whether an
application is authorized to leverage surrogate authentication." it's
auctually just referring to controlling what attributes from the
surrogate are released to the service? (Which is a way of denying, so I
can see it).
Remain slightly perplexed however, because the documentation says:
"Decide whether the primary user is tagged with enough attributes and
entitlements to allow impersonation to execute," but it sounds like it's
expected that the primary user and their attribute plays no role.
I've got the feature working fine, the hope was to just say that user X
could only impersonate user Y for certain services, and the
documentation seemed to suggest these RegisteredServiceAccessStrategies
were the methods for doing so.
In any case, I'll go look to see if there's a way to copy over some
attributes from the principal to the surrogate via the method you suggested.
Matt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67bed492-8e0c-07c6-ca0f-0dfbbeec986c%40fastmail.net.
