Oscar, I have found that with LDAP authn, the principal and the surrogate have to be in the same ldap search tree. It is possible that there is a general expectation that principal and surrogate exist in the same authn source (though I am not sure how that would work with delegated authn).
I changed one line in SurrogateLdapAuthenticationService.java to scan all ldap trees (the code was already in the class, it just was not being used). Does Entra MFA only apply to the Entra login, or can it be accessed after authn; like Duo? Does Entra offer a surrogate capability? Ray ________________________________ From: [email protected] <[email protected]> on behalf of Oscar William <[email protected]> Sent: March 4, 2026 07:53 To: CAS Community <[email protected]> Subject: [cas-user] CAS 7.3.4 + Entra + Surrogate You don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello, I am building a new CAS server since our old one is on version 5.3. We are going to have a single service, which is Google Workspace. We are using DUO MFA for now, but are not going to renew licenses, which ends this month. Because of this, we decided to authenticate on Entra, having the MFA capability for users. I am able to authenticate on Entra, but I don't get the account impersonation selection after logging in. I've tested it on LDAP authentication and it works fine. My question is, is it possible to have this authentication flow? User access CAS -> CAS redirects to Entra -> User logs in -> Redirect back to CAS showing the list of accounts available for impersonation -> Select the account and login to Google Workspace. I'm having big trouble trying to make this work, I am GPTing and Geminiying a lot, but got multiple errors. If I can get a direction, I appreciate it a lot. Thank you, -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB008154D2AB5A42A7072DF823CE7CA%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
