Hi Dirk,
Unfortunately when I add the "cas-server-support-surrogate-webflow"
dependency to my pom.xml file I get the following error when I do "mvn
clean package"
/[ERROR] Failed to execute goal on project cas-overlay: Could not
resolve depende//
//ncies for project org.apereo.cas:cas-overlay:war:1.0: Could not find
artifact or//
//g.apereo.cas:cas-server-support-surrogate-webflow:jar:5.1.2 in
sonatype-releases//
// (http://oss.sonatype.org/content/repositories/releases/) -> [Help 1]//
//[ERROR]/
From what I remember reading, the 5.1.x docs only mentioned the
"cas-server-support-surrogate-authentication" dependency in the
Surrogate setup directions and the other surrogate webflow and rest
dependencies only started appearing (I think) in the 5.2 docs and above.
On 1/22/2019 9:05 PM, Tepe, Dirk wrote:
Just to be clear, you did include
'cas-server-support-surrogate-webflow' in your dependencies, right?
While you don't need the REST dependency, you do need that one.
-dirk
On Tue, Jan 22, 2019 at 4:30 PM Brian Gibson
<[email protected]
<mailto:[email protected]>> wrote:
Hi everyone,
Dirk, thanks for all the suggestions, I 'think' I am close. I
created the c:\etc\cas\config\surrogates.json file and it looks
like this...
{
"bob": ["mary", "jim"]
}
and I am referencing the surrogates.json file from my
cas.properties file like this...
cas.authn.surrogate.separator=+
cas.authn.surrogate.json.config.location=file:/etc/cas/config/surrogates.json
When I go to log into a service I enter "mary+bob" in the username
field along with bob's password and I get taken to the service
successfully as bob (unfortunately not mary) and this is what I
see in the logs...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
WHO: (Real user: [bob], Surrogate user: [mary])
WHAT: Supplied credentials: [[surrogateUsername=mary]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 22 16:14:47 EST 2019
CLIENT IP ADDRESS: <HIDDEN>
SERVER IP ADDRESS: <HIDDEN>
2019-01-22 16:14:47,559 */WARN
[org.apereo.cas.authentication.DefaultAuthenticationResultBuilder]
- <Authentication attribute
[samlAuthenticationStatementAuthMethod] has no value and is not
collected>/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Any ideas on what I'm missing? I don't think I need the
surrogate-authentication-rest dependencies since I believe that
has to do with building a web page with surrogate users to choose
from and in our case we are explicitly referencing the target's
name with the personA+PersonB syntax.
Thanks!
On 1/11/2019 9:07 AM, Tepe, Dirk wrote:
I can't speak to 5.1.x, we've been experimenting with surrogate
since 5.2 and only using it actively since 5.3.
I can say that any user can be a surrogate, it is not restricted
to admin users. The only restriction is the authorization.
We use a REST endpoint to authorize surrogate requests. Our POM
includes both the surrogate-workflow and
surrogate-authentication-rest dependencies. Could you need
another dependency to enable the actual authorization? When
working on a proof of concept, I used a json file. It seemed to
provide more flexibility.
If the primary user authentication succeeds, then CAS will need
to resolve attributes for the given target. If CAS cannot
identify the given target, I'm not sure what to expect in the
logs. A useful test is to use the form '+primary_username' which,
if the user is authorized, will show a list of the users eligible
for impersonation.
Also keep in mind that not all properties can be applied on the
fly. Some changes in the cas.properties file require a restart.
-dirk
On Thu, Jan 10, 2019 at 2:08 PM Brian Gibson
<[email protected]
<mailto:[email protected]>> wrote:
Hi all,
Couple of questions regarding Surrogate Authentication....
1. Does the user that logs in have to also be a CAS admin?
I'd like to map a specific non-admin user to another
non-admin user.
2. If I am using LDAP authentication in CAS 5.1.2 do I have
to do the surrogate mapping via LDAP as well? I've pulled in
the surrogate dependency in my pom.xml file and added this to
my cas.properties file...
cas.authn.surrogate.separator=+
cas.authn.surrogate.simple.surrogates.casuser=mary,bob
I thought I could then put "mary+bob" in the username field
along with bob's password and I'd be logged in as mary but I
just end up getting logged in as bob with nothing mentioned
about mary in the log files.
Thanks for any help you can provide.
On 1/9/2019 9:29 PM, Tepe, Dirk wrote:
We are successfully using surrogate authentication with CAS
5.3.x. Beginning with 5.3.0, the CAS audit log includes the
surrogate authorization details, which was important for our
ISO. There were some bumps and changes related to attribute
release in the 5.3.x releases, so beware.
-dirk
On Wed, Jan 9, 2019 at 4:40 PM Brian Gibson
<[email protected]
<mailto:[email protected]>> wrote:
I think that's it!
Thanks, I'll do some testing and report back.
Appreciate your help.
On 1/9/2019 4:29 PM, David Curry wrote:
I've never played with it myself, but isn't this:
https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html
what you're talking about?
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL• INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
<mailto:[email protected]>
On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson
<[email protected]
<mailto:[email protected]>> wrote:
Hi all,
Is there a way within a service entry in CAS 5.1 to
say that if person A
logs in successfully, send them to the service as
person B?
I checked the 5.1 service-related docs but couldn't
find anything.
Thanks,
Brian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are
subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected]
<mailto:cas-user%[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.
On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson
<[email protected]
<mailto:[email protected]>> wrote:
Hi all,
Is there a way within a service entry in CAS 5.1 to
say that if person A
logs in successfully, send them to the service as
person B?
I checked the 5.1 service-related docs but couldn't
find anything.
Thanks,
Brian
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are
subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected]
<mailto:cas-user%[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to
the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to
the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyN2eC-Kk9e8S5qYPyku1sbTqt4HvH2cBO4JY%3DPUmy9XQ%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyN2eC-Kk9e8S5qYPyku1sbTqt4HvH2cBO4JY%3DPUmy9XQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fd6fbd9-5510-0979-6818-773978c24146%40wheatoncollege.edu.
