Just to be clear, you did include 'cas-server-support-surrogate-webflow' in your dependencies, right? While you don't need the REST dependency, you do need that one.
-dirk On Tue, Jan 22, 2019 at 4:30 PM Brian Gibson < [email protected]> wrote: > Hi everyone, > > Dirk, thanks for all the suggestions, I 'think' I am close. I created the > c:\etc\cas\config\surrogates.json file and it looks like this... > > { > "bob": ["mary", "jim"] > } > > and I am referencing the surrogates.json file from my cas.properties file > like this... > > cas.authn.surrogate.separator=+ > cas.authn.surrogate.json.config.location= > file:/etc/cas/config/surrogates.json > > When I go to log into a service I enter "mary+bob" in the username field > along with bob's password and I get taken to the service successfully as > bob (unfortunately not mary) and this is what I see in the logs... > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > WHO: (Real user: [bob], Surrogate user: [mary]) > WHAT: Supplied credentials: [[surrogateUsername=mary]] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Tue Jan 22 16:14:47 EST 2019 > CLIENT IP ADDRESS: <HIDDEN> > SERVER IP ADDRESS: <HIDDEN> > 2019-01-22 16:14:47,559 *WARN > [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - > <Authentication attribute [samlAuthenticationStatementAuthMethod] has no > value and is not collected>* > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > Any ideas on what I'm missing? I don't think I need the > surrogate-authentication-rest dependencies since I believe that has to do > with building a web page with surrogate users to choose from and in our > case we are explicitly referencing the target's name with the > personA+PersonB syntax. > > Thanks! > > > > > On 1/11/2019 9:07 AM, Tepe, Dirk wrote: > > I can't speak to 5.1.x, we've been experimenting with surrogate since 5.2 > and only using it actively since 5.3. > > I can say that any user can be a surrogate, it is not restricted to admin > users. The only restriction is the authorization. > > We use a REST endpoint to authorize surrogate requests. Our POM includes > both the surrogate-workflow and surrogate-authentication-rest dependencies. > Could you need another dependency to enable the actual authorization? When > working on a proof of concept, I used a json file. It seemed to provide > more flexibility. > > If the primary user authentication succeeds, then CAS will need to resolve > attributes for the given target. If CAS cannot identify the given target, > I'm not sure what to expect in the logs. A useful test is to use the form > '+primary_username' which, if the user is authorized, will show a list of > the users eligible for impersonation. > > Also keep in mind that not all properties can be applied on the fly. Some > changes in the cas.properties file require a restart. > > -dirk > > On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson < > [email protected]> wrote: > >> Hi all, >> >> Couple of questions regarding Surrogate Authentication.... >> >> 1. Does the user that logs in have to also be a CAS admin? I'd like to >> map a specific non-admin user to another non-admin user. >> >> 2. If I am using LDAP authentication in CAS 5.1.2 do I have to do the >> surrogate mapping via LDAP as well? I've pulled in the surrogate dependency >> in my pom.xml file and added this to my cas.properties file... >> >> cas.authn.surrogate.separator=+ >> cas.authn.surrogate.simple.surrogates.casuser=mary,bob >> >> I thought I could then put "mary+bob" in the username field along with >> bob's password and I'd be logged in as mary but I just end up getting >> logged in as bob with nothing mentioned about mary in the log files. >> >> Thanks for any help you can provide. >> >> >> On 1/9/2019 9:29 PM, Tepe, Dirk wrote: >> >> We are successfully using surrogate authentication with CAS 5.3.x. >> Beginning with 5.3.0, the CAS audit log includes the surrogate >> authorization details, which was important for our ISO. There were some >> bumps and changes related to attribute release in the 5.3.x releases, so >> beware. >> >> -dirk >> >> On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson < >> [email protected]> wrote: >> >>> I think that's it! >>> >>> Thanks, I'll do some testing and report back. >>> >>> Appreciate your help. >>> >>> >>> On 1/9/2019 4:29 PM, David Curry wrote: >>> >>> I've never played with it myself, but isn't this: >>> >>> >>> https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html >>> >>> what you're talking about? >>> >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR OF INFORMATION SECURITY* >>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 212 229-5300 x4728 • [email protected] >>> >>> >>> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> Is there a way within a service entry in CAS 5.1 to say that if person >>>> A >>>> logs in successfully, send them to the service as person B? >>>> >>>> I checked the 5.1 service-related docs but couldn't find anything. >>>> >>>> Thanks, >>>> >>>> Brian >>>> >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu >>>> . >>>> >>> >>> On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> Is there a way within a service entry in CAS 5.1 to say that if person >>>> A >>>> logs in successfully, send them to the service as person B? >>>> >>>> I checked the 5.1 service-related docs but couldn't find anything. >>>> >>>> Thanks, >>>> >>>> Brian >>>> >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyN2eC-Kk9e8S5qYPyku1sbTqt4HvH2cBO4JY%3DPUmy9XQ%40mail.gmail.com.
