Ray, We're implementing delegation to Entra here as well, but we've not gotten into the whole Impersonation functionality (and what controls would need to be imposed around it), so I can't answer for that part.
On Wednesday, March 4, 2026 at 2:59:58 PM UTC-5 Ray Bon wrote: .... Does Entra MFA only apply to the Entra login, or can it be accessed after authn; like Duo? The MFA functionality, even when still using Duo (for Entra), becomes integrated into the EntraID login experience from the user's perspective. CAS does not do a second call for the MFA in that case, but it does get back the "http://schemas.microsoft.com/claims/authnmethodsreferences"; attribute from Entra, which CAS could be programed to ingest and check for a value of "http://schemas.microsoft.com/claims/multipleauthn"; (it is a mult-valued attribute). I looked and it does not appear that there is currently a way of using it in CAS however, and it is unlikely that EntraID will pass that back as a proper ACR via SAML2 delegation (which CAS can apparently ingest today). Does Entra offer a surrogate capability? It appears that does exist, but I have no idea what the limitations and caveats are. Ray ------------------------------ *From:* [email protected] <[email protected]> on behalf of Oscar William < [email protected]> *Sent:* March 4, 2026 07:53 *To:* CAS Community <[email protected]> *Subject:* [cas-user] CAS 7.3.4 + Entra + Surrogate You don't often get email from [email protected]. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification> Hello, I am building a new CAS server since our old one is on version 5.3. We are going to have a single service, which is Google Workspace. We are using DUO MFA for now, but are not going to renew licenses, which ends this month. Because of this, we decided to authenticate on Entra, having the MFA capability for users. I am able to authenticate on Entra, but I don't get the account impersonation selection after logging in. I've tested it on LDAP authentication and it works fine. My question is, is it possible to have this authentication flow? User access CAS -> CAS redirects to Entra -> User logs in -> Redirect back to CAS showing the list of accounts available for impersonation -> Select the account and login to Google Workspace. I'm having big trouble trying to make this work, I am GPTing and Geminiying a lot, but got multiple errors. If I can get a direction, I appreciate it a lot. Thank you, -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/902e08ea-fac6-4193-ade8-be8dac5fbd03n%40apereo.org.
