[cas-user] Impersonation (Surrogate) with MFA Failing

Wed, 21 Sep 2022 23:23:52 -0700 

So, I'll preface this with the understanding that Impersonation (surrogate) 
is a 'development' feature, but I figured I would still try and reach out 
to understand the situation.

Working with CAS 6.6.0, when I try and enable Impersonation and Simple MFA, 
impersonation breaks.  

Details:  

Working with a stock 6.6.0 overlay and a custom cas.properties, if I 
disable the MFA trigger, impersonation works as intended (both via 
selection screen and via user1+user2 on login).

As soon as I enable the MFA trigger:

  cas.authn.mfa.triggers.global.global-provider-id=mfa-simple

... then I get one of two problems happening:

1) Using the impersonation menu (e.g. +username)

When I attempt this, I get the MFA flow for the principal user, and it 
skips the impersonation selection screen.  Login works, no impersonation 
allowed.

2) Using the login name (e.g. surrogateuser+principaluser)

When I attempt this, the MFA validation fails with the following error:

2022-09-21 10:43:13,779 WARN 
[org.apereo.cas.mfa.simple.validation.DefaultCasSimpleMultifactorAuthenticationService]
 
- <Principal assigned to token [principaluser] is unauthorized for token 
[CASMFA-######]>
2022-09-21 10:43:13,811 ERROR 
[org.apereo.cas.mfa.simple.CasSimpleMultifactorAuthenticationHandler] - 
<Failed to authenticate code CASMFA-######
        DefaultCasSimpleMultifactorAuthenticationService.java:validate:76
        CasSimpleMultifactorAuthenticationHandler.java:doAuthentication:63
        
AbstractPreAndPostProcessingAuthenticationHandler.java:authenticate:47
>

Of these two errors, my biggest priority would be getting #1 working.  
Anyone else have any luck getting impersonation to work with MFA?

Thanks,
Chip Nurmi

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d150ccb-1622-477d-995d-8948ba32841an%40apereo.org.

Reply via email to