Re: [cas-user] Impersonation / Surrogate-Authentication
Thank you both for the help! I was able to get it working, albeit with the
REST version rather than LDAP. The JSON version would probably work as well.
#
# LDAP ATTRIBUTE REPOSITORY
#
cas.person-directory.active-attribute-repository-ids=attributes
cas.person-directory.attribute-resolution-enabled=true
cas.person-directory.principalAttribute=sAMAccountName
cas.person-directory.return-null=false
cas.person-directory.principal-resolution-failure-fatal=true
cas.person-directory.use-existing-principal-id=false
cas.authn.attribute-repository.core.default-attributes-to-release=cn,givenName,sn,displayName,affiliation
cas.authn.attribute-repository.ldap[0].id=attributes
cas.authn.attribute-repository.ldap[0].order=0
cas.authn.attribute-repository.ldap[0].binary-attributes.objectGUID=objectGUID
cas.authn.attribute-repository.ldap[0].attributes.userPrincipalName=userPrincipalName
cas.authn.attribute-repository.ldap[0].attributes.dn=distinguishedName
cas.authn.attribute-repository.ldap[0].attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.sAMAccountName=sAMAccountName
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
cas.authn.attribute-repository.ldap[0].attributes.memberOf=memberOf
cas.authn.attribute-repository.ldap[0].connectTimeout=PT3S
cas.authn.attribute-repository.ldap[0].baseDn=[base_dn]
cas.authn.attribute-repository.ldap[0].subtreeSearch=true
cas.authn.attribute-repository.ldap[0].searchFilter=(sAMAccountName={user})
cas.authn.attribute-repository.ldap[0].bindDn=[bind_user]
cas.authn.attribute-repository.ldap[0].bindCredential=[bind_password]
cas.authn.attribute-repository.ldap[0].ldap-url=[ldap_url]
#
# Impersonation / Surrogate Authentication
#
cas.authn.surrogate.rest.url=[url]
cas.authn.surrogate.principal.active-attribute-repository-ids=attributes
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.principal-attribute=sAMAccountName
cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
On Thursday, November 24, 2022 at 12:36:30 AM UTC-5 jeffrey...@gmail.com
wrote:
> Try this as well.
>
> https://fawnoos.com/2018/05/07/cas-impersonation-authn/
>
> -Jeff
>
> On Wed, Nov 23, 2022 at 8:21 PM Matthew Gordon wrote:
>
>> Thank you Jonathon.
>>
>> On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote:
>>
>>> Hi Matt,
>>>
>>> That is the entirety of our surrogate configuration. CAS will return
>>> the surrogate user attributes, not the authenticated user.
>>>
>>> Jonathon
>>>
>>> On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon wrote:
>>>
Also does it return the surrogate users attributes, or the
authenticated users attributes?
Thank you,
Matt
On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
> Thank you Jonathon. I will have to look at doing it via LDAP. I was
> just trying to do it via a local JSON file. Is that the entirety of your
> surrogate config?
>
> Thank you,
> Matt
>
> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>
>> Not sure if this helps, but we use impersonation with LDAP and we did
>> not have to use a groovy script. We are on 6.5.8. Here's an example of
>> our configuration:
>>
>> cas.authn.surrogate.ldap.ldap-url=ldap://
>> cas.authn.surrogate.ldap.base-dn=.
>> # this filter gets the attributes of the account being impersonated
>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
>> ={0})))
>> cas.authn.surrogate.ldap.bind-dn=
>> cas.authn.surrogate.ldap.bind-credential=
>> cas.authn.surrogate.ldap.use-start-tls=true
>>
>> # this is the format of the group that a person has to be in
>> # in order to impersonate the 'surrogate'
>> cas.custom.properties.surrogate-format=cn=group-{surrogate}
>> # this builds the list of authorized accounts for impersonation
>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(
>> isMemberOf=${cas.custom.properties.surrogate-format}))
>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
>> # this extracts the 'friendly' name of the account to be impersonated
>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn
>> =group-([^,]+)
>>
>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon
>> wrote:
>>
>>> I am using only LDAP (AD) as my attribute repository.
>>>
>>>
>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>>
>>> I am trying to get it to resolved the impersonated users
Re: [cas-user] Impersonation / Surrogate-Authentication
Try this as well.
https://fawnoos.com/2018/05/07/cas-impersonation-authn/
-Jeff
On Wed, Nov 23, 2022 at 8:21 PM Matthew Gordon wrote:
> Thank you Jonathon.
>
> On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote:
>
>> Hi Matt,
>>
>> That is the entirety of our surrogate configuration. CAS will return the
>> surrogate user attributes, not the authenticated user.
>>
>> Jonathon
>>
>> On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon wrote:
>>
>>> Also does it return the surrogate users attributes, or the authenticated
>>> users attributes?
>>>
>>> Thank you,
>>> Matt
>>>
>>> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
>>>
Thank you Jonathon. I will have to look at doing it via LDAP. I was
just trying to do it via a local JSON file. Is that the entirety of your
surrogate config?
Thank you,
Matt
On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
> Not sure if this helps, but we use impersonation with LDAP and we did
> not have to use a groovy script. We are on 6.5.8. Here's an example of
> our configuration:
>
> cas.authn.surrogate.ldap.ldap-url=ldap://
> cas.authn.surrogate.ldap.base-dn=.
> # this filter gets the attributes of the account being impersonated
> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
> ={0})))
> cas.authn.surrogate.ldap.bind-dn=
> cas.authn.surrogate.ldap.bind-credential=
> cas.authn.surrogate.ldap.use-start-tls=true
>
> # this is the format of the group that a person has to be in
> # in order to impersonate the 'surrogate'
> cas.custom.properties.surrogate-format=cn=group-{surrogate}
> # this builds the list of authorized accounts for impersonation
> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(
> isMemberOf=${cas.custom.properties.surrogate-format}))
> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
> # this extracts the 'friendly' name of the account to be impersonated
> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>
> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon
> wrote:
>
>> I am using only LDAP (AD) as my attribute repository.
>>
>>
>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>
>> I am trying to get it to resolved the impersonated users attributes,
>> but no luck.
>>
>> It appears that I have to have a groovy script:
>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>
>> Here is my config so far:
>>
>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>>
>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>
>> If I do need the groovy script, which since it appears to be
>> required, what should it be doing? Any examples?
>>
>> I can login and the impersonation works, but without attributes it's
>> pretty useless.
>>
>> Thank you,
>> Matt
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>
>> .
>>
>
>
> --
> Jonathon Taylor
> Information Security Office
> jona...@berkeley.edu
>
>>
>> --
>> Jonathon Taylor
>> Information Security Office
>> jona...@berkeley.edu
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org
>
Re: [cas-user] Impersonation / Surrogate-Authentication
Thank you Jonathon.
On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote:
> Hi Matt,
>
> That is the entirety of our surrogate configuration. CAS will return the
> surrogate user attributes, not the authenticated user.
>
> Jonathon
>
> On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon wrote:
>
>> Also does it return the surrogate users attributes, or the authenticated
>> users attributes?
>>
>> Thank you,
>> Matt
>>
>> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
>>
>>> Thank you Jonathon. I will have to look at doing it via LDAP. I was just
>>> trying to do it via a local JSON file. Is that the entirety of your
>>> surrogate config?
>>>
>>> Thank you,
>>> Matt
>>>
>>> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>>>
Not sure if this helps, but we use impersonation with LDAP and we did
not have to use a groovy script. We are on 6.5.8. Here's an example of
our configuration:
cas.authn.surrogate.ldap.ldap-url=ldap://
cas.authn.surrogate.ldap.base-dn=.
# this filter gets the attributes of the account being impersonated
cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
={0})))
cas.authn.surrogate.ldap.bind-dn=
cas.authn.surrogate.ldap.bind-credential=
cas.authn.surrogate.ldap.use-start-tls=true
# this is the format of the group that a person has to be in
# in order to impersonate the 'surrogate'
cas.custom.properties.surrogate-format=cn=group-{surrogate}
# this builds the list of authorized accounts for impersonation
cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(
isMemberOf=${cas.custom.properties.surrogate-format}))
cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
# this extracts the 'friendly' name of the account to be impersonated
cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon
wrote:
> I am using only LDAP (AD) as my attribute repository.
>
>
> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>
> I am trying to get it to resolved the impersonated users attributes,
> but no luck.
>
> It appears that I have to have a groovy script:
> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>
> Here is my config so far:
>
> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
> cas.authn.surrogate.principal.attribute-resolution-enabled=true
> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>
> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>
> If I do need the groovy script, which since it appears to be required,
> what should it be doing? Any examples?
>
> I can login and the impersonation works, but without attributes it's
> pretty useless.
>
> Thank you,
> Matt
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>
>
> .
>
--
Jonathon Taylor
Information Security Office
jona...@berkeley.edu
>>>
>
> --
> Jonathon Taylor
> Information Security Office
> jona...@berkeley.edu
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org.
Re: [cas-user] Impersonation / Surrogate-Authentication
Hi Matt,
That is the entirety of our surrogate configuration. CAS will return the
surrogate user attributes, not the authenticated user.
Jonathon
On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon wrote:
> Also does it return the surrogate users attributes, or the authenticated
> users attributes?
>
> Thank you,
> Matt
>
> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
>
>> Thank you Jonathon. I will have to look at doing it via LDAP. I was just
>> trying to do it via a local JSON file. Is that the entirety of your
>> surrogate config?
>>
>> Thank you,
>> Matt
>>
>> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>>
>>> Not sure if this helps, but we use impersonation with LDAP and we did
>>> not have to use a groovy script. We are on 6.5.8. Here's an example of
>>> our configuration:
>>>
>>> cas.authn.surrogate.ldap.ldap-url=ldap://
>>> cas.authn.surrogate.ldap.base-dn=.
>>> # this filter gets the attributes of the account being impersonated
>>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
>>> ={0})))
>>> cas.authn.surrogate.ldap.bind-dn=
>>> cas.authn.surrogate.ldap.bind-credential=
>>> cas.authn.surrogate.ldap.use-start-tls=true
>>>
>>> # this is the format of the group that a person has to be in
>>> # in order to impersonate the 'surrogate'
>>> cas.custom.properties.surrogate-format=cn=group-{surrogate}
>>> # this builds the list of authorized accounts for impersonation
>>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(
>>> isMemberOf=${cas.custom.properties.surrogate-format}))
>>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
>>> # this extracts the 'friendly' name of the account to be impersonated
>>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>>>
>>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon
>>> wrote:
>>>
I am using only LDAP (AD) as my attribute repository.
https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
I am trying to get it to resolved the impersonated users attributes,
but no luck.
It appears that I have to have a groovy script:
cas.authn.surrogate.principal.principal-transformation.groovy.location=
Here is my config so far:
cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.active-attribute-repository-ids=core
cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
If I do need the groovy script, which since it appears to be required,
what should it be doing? Any examples?
I can login and the impersonation works, but without attributes it's
pretty useless.
Thank you,
Matt
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
.
>>>
>>>
>>> --
>>> Jonathon Taylor
>>> Information Security Office
>>> jona...@berkeley.edu
>>>
>>
--
Jonathon Taylor
Information Security Office
jonath...@berkeley.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-o_s%2BMUfnWpcVsQ4tNTm077hXHA1JWd9a6pajVBMBSkQ%40mail.gmail.com.
Re: [cas-user] Impersonation / Surrogate-Authentication
Also does it return the surrogate users attributes, or the authenticated
users attributes?
Thank you,
Matt
On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
> Thank you Jonathon. I will have to look at doing it via LDAP. I was just
> trying to do it via a local JSON file. Is that the entirety of your
> surrogate config?
>
> Thank you,
> Matt
>
> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>
>> Not sure if this helps, but we use impersonation with LDAP and we did not
>> have to use a groovy script. We are on 6.5.8. Here's an example of our
>> configuration:
>>
>> cas.authn.surrogate.ldap.ldap-url=ldap://
>> cas.authn.surrogate.ldap.base-dn=.
>> # this filter gets the attributes of the account being impersonated
>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
>> ={0})))
>> cas.authn.surrogate.ldap.bind-dn=
>> cas.authn.surrogate.ldap.bind-credential=
>> cas.authn.surrogate.ldap.use-start-tls=true
>>
>> # this is the format of the group that a person has to be in
>> # in order to impersonate the 'surrogate'
>> cas.custom.properties.surrogate-format=cn=group-{surrogate}
>> # this builds the list of authorized accounts for impersonation
>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
>> =${cas.custom.properties.surrogate-format}))
>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
>> # this extracts the 'friendly' name of the account to be impersonated
>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>>
>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon wrote:
>>
>>> I am using only LDAP (AD) as my attribute repository.
>>>
>>>
>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>>
>>> I am trying to get it to resolved the impersonated users attributes, but
>>> no luck.
>>>
>>> It appears that I have to have a groovy script:
>>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>>
>>> Here is my config so far:
>>>
>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>>
>>> If I do need the groovy script, which since it appears to be required,
>>> what should it be doing? Any examples?
>>>
>>> I can login and the impersonation works, but without attributes it's
>>> pretty useless.
>>>
>>> Thank you,
>>> Matt
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>>
>>>
>>> .
>>>
>>
>>
>> --
>> Jonathon Taylor
>> Information Security Office
>> jona...@berkeley.edu
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65cc1de-a66a-4919-90e7-0f721344dbafn%40apereo.org.
Re: [cas-user] Impersonation / Surrogate-Authentication
Thank you Jonathon. I will have to look at doing it via LDAP. I was just
trying to do it via a local JSON file. Is that the entirety of your
surrogate config?
Thank you,
Matt
On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
> Not sure if this helps, but we use impersonation with LDAP and we did not
> have to use a groovy script. We are on 6.5.8. Here's an example of our
> configuration:
>
> cas.authn.surrogate.ldap.ldap-url=ldap://
> cas.authn.surrogate.ldap.base-dn=.
> # this filter gets the attributes of the account being impersonated
> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
> ={0})))
> cas.authn.surrogate.ldap.bind-dn=
> cas.authn.surrogate.ldap.bind-credential=
> cas.authn.surrogate.ldap.use-start-tls=true
>
> # this is the format of the group that a person has to be in
> # in order to impersonate the 'surrogate'
> cas.custom.properties.surrogate-format=cn=group-{surrogate}
> # this builds the list of authorized accounts for impersonation
> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
> =${cas.custom.properties.surrogate-format}))
> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
> # this extracts the 'friendly' name of the account to be impersonated
> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>
> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon wrote:
>
>> I am using only LDAP (AD) as my attribute repository.
>>
>>
>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>
>> I am trying to get it to resolved the impersonated users attributes, but
>> no luck.
>>
>> It appears that I have to have a groovy script:
>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>
>> Here is my config so far:
>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>
>> If I do need the groovy script, which since it appears to be required,
>> what should it be doing? Any examples?
>>
>> I can login and the impersonation works, but without attributes it's
>> pretty useless.
>>
>> Thank you,
>> Matt
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>
>>
>> .
>>
>
>
> --
> Jonathon Taylor
> Information Security Office
> jona...@berkeley.edu
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a03242f3-b7ca-4eae-9314-f31346f7a7a0n%40apereo.org.
Re: [cas-user] Impersonation / Surrogate-Authentication
Not sure if this helps, but we use impersonation with LDAP and we did not
have to use a groovy script. We are on 6.5.8. Here's an example of our
configuration:
cas.authn.surrogate.ldap.ldap-url=ldap://
cas.authn.surrogate.ldap.base-dn=.
# this filter gets the attributes of the account being impersonated
cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn={0})))
cas.authn.surrogate.ldap.bind-dn=
cas.authn.surrogate.ldap.bind-credential=
cas.authn.surrogate.ldap.use-start-tls=true
# this is the format of the group that a person has to be in
# in order to impersonate the 'surrogate'
cas.custom.properties.surrogate-format=cn=group-{surrogate}
# this builds the list of authorized accounts for impersonation
cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
=${cas.custom.properties.surrogate-format}))
cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
# this extracts the 'friendly' name of the account to be impersonated
cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon wrote:
> I am using only LDAP (AD) as my attribute repository.
>
>
> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>
> I am trying to get it to resolved the impersonated users attributes, but
> no luck.
>
> It appears that I have to have a groovy script:
> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>
> Here is my config so far:
> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
> cas.authn.surrogate.principal.attribute-resolution-enabled=true
> cas.authn.surrogate.principal.active-attribute-repository-ids=core
> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>
> If I do need the groovy script, which since it appears to be required,
> what should it be doing? Any examples?
>
> I can login and the impersonation works, but without attributes it's
> pretty useless.
>
> Thank you,
> Matt
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>
> .
>
--
Jonathon Taylor
Information Security Office
jonath...@berkeley.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-%3DKj7yYNJXhEf3osjjth68%3DUOKPwTZrfaSRc2LhAN_1g%40mail.gmail.com.
[cas-user] Impersonation / Surrogate-Authentication
I am using only LDAP (AD) as my attribute repository. https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution I am trying to get it to resolved the impersonated users attributes, but no luck. It appears that I have to have a groovy script: cas.authn.surrogate.principal.principal-transformation.groovy.location= Here is my config so far: cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json cas.authn.surrogate.principal.attribute-resolution-enabled=true cas.authn.surrogate.principal.active-attribute-repository-ids=core cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last cas.authn.surrogate.principal.principal-resolution-failure-fatal=true If I do need the groovy script, which since it appears to be required, what should it be doing? Any examples? I can login and the impersonation works, but without attributes it's pretty useless. Thank you, Matt -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org.
