[cas-user] Impersonation (Surrogate) with MFA Failing

Wed, 21 Sep 2022 23:23:52 -0700 

So, I'll preface this with the understanding that Impersonation (surrogate) 
is a 'development' feature, but I figured I would still try and reach out 
to understand the situation.

Working with CAS 6.6.0, when I try and enable Impersonation and Simple MFA, 
impersonation breaks.  

Details:  

Working with a stock 6.6.0 overlay and a custom cas.properties, if I 
disable the MFA trigger, impersonation works as intended (both via 
selection screen and via user1+user2 on login).

As soon as I enable the MFA trigger:

  cas.authn.mfa.triggers.global.global-provider-id=mfa-simple

... then I get one of two problems happening:

1) Using the impersonation menu (e.g. +username)

When I attempt this, I get the MFA flow for the principal user, and it 
skips the impersonation selection screen.  Login works, no impersonation 
allowed.

2) Using the login name (e.g. surrogateuser+principaluser)

When I attempt this, the MFA validation fails with the following error:

2022-09-21 10:43:13,779 WARN 
[org.apereo.cas.mfa.simple.validation.DefaultCasSimpleMultifactorAuthenticationService]
 
- <Principal assigned to token [principaluser] is unauthorized for token 
[CASMFA-######]>
2022-09-21 10:43:13,811 ERROR 
[org.apereo.cas.mfa.simple.CasSimpleMultifactorAuthenticationHandler] - 
<Failed to authenticate code CASMFA-######
        DefaultCasSimpleMultifactorAuthenticationService.java:validate:76
        CasSimpleMultifactorAuthenticationHandler.java:doAuthentication:63
        
AbstractPreAndPostProcessingAuthenticationHandler.java:authenticate:47
>

Of these two errors, my biggest priority would be getting #1 working.  
Anyone else have any luck getting impersonation to work with MFA?

Thanks,
Chip Nurmi

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d150ccb-1622-477d-995d-8948ba32841an%40apereo.org.

Reply via email to