masquerade as different user

Brian Gibson

unread,

Jan 9, 2019, 2:48:12 PM1/9/19

to CAS Community

Hi all,

Is there a way within a service entry in CAS 5.1 to say that if person A
logs in successfully, send them to the service as person B?

I checked the 5.1 service-related docs but couldn't find anything.

Thanks,

Brian

Martin Bohun

unread,

Jan 9, 2019, 3:01:04 PM1/9/19

to CAS Community

Well, you can create a custom cas attribute that you populate on successful auth with whatever info you need to setup this "person B", right?

You need to be more specific,

regards,

martin

Matthew Uribe

unread,

Jan 9, 2019, 4:19:01 PM1/9/19

to CAS Community

I've heard this referred to as having a "ghost user" account. Basically a generic account that you, as an administrator, can change the attributes on. For instance, application A requires email address as an attribute. Set the ghost_user1 email address to the email address of the user you are trying to impersonate. Of course this raises ethical/policy questions, which you also need to address before putting something like this into practice. There's also the issue of non-repudiation. If I know that Brian has a method for logging into an application as me, I can log in and do nasty things, then say Brian logged in as me and did it.

Matt

David Curry

unread,

Jan 9, 2019, 4:29:38 PM1/9/19

to cas-...@apereo.org

I've never played with it myself, but isn't this:

https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html

what you're talking about?

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.

Brian Gibson

unread,

Jan 9, 2019, 4:40:56 PM1/9/19

to cas-...@apereo.org, David Curry

I think that's it!

Thanks, I'll do some testing and report back.

Appreciate your help.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com.

Andrew Evans

unread,

Jan 9, 2019, 7:12:47 PM1/9/19

to cas-...@apereo.org

God I hope not. That would be fun for my old job where I pretty much got to HACK

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com.

Tepe, Dirk

unread,

Jan 9, 2019, 9:29:37 PM1/9/19

to cas-...@apereo.org

We are successfully using surrogate authentication with CAS 5.3.x. Beginning with 5.3.0, the CAS audit log includes the surrogate authorization details, which was important for our ISO. There were some bumps and changes related to attribute release in the 5.3.x releases, so beware.

-dirk

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/88affc8e-1a7a-228f-0f23-225209c8f29b%40wheatoncollege.edu.

Brian Gibson

unread,

Jan 10, 2019, 2:09:00 PM1/10/19

to cas-...@apereo.org

Hi all,

Couple of questions regarding Surrogate Authentication....

1. Does the user that logs in have to also be a CAS admin? I'd like to map a specific non-admin user to another non-admin user.

2. If I am using LDAP authentication in CAS 5.1.2 do I have to do the surrogate mapping via LDAP as well? I've pulled in the surrogate dependency in my pom.xml file and added this to my cas.properties file...

cas.authn.surrogate.separator=+
cas.authn.surrogate.simple.surrogates.casuser=mary,bob

I thought I could then put "mary+bob" in the username field along with bob's password and I'd be logged in as mary but I just end up getting logged in as bob with nothing mentioned about mary in the log files.

Thanks for any help you can provide.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyPC6L93NxpAUmXGhrwG4%3DCq2QKg0sNy_Gypwx_FgfPLQ%40mail.gmail.com.

Tepe, Dirk

unread,

Jan 11, 2019, 9:07:42 AM1/11/19

to cas-...@apereo.org

I can't speak to 5.1.x, we've been experimenting with surrogate since 5.2 and only using it actively since 5.3.

I can say that any user can be a surrogate, it is not restricted to admin users. The only restriction is the authorization.

We use a REST endpoint to authorize surrogate requests. Our POM includes both the surrogate-workflow and surrogate-authentication-rest dependencies. Could you need another dependency to enable the actual authorization? When working on a proof of concept, I used a json file. It seemed to provide more flexibility.

If the primary user authentication succeeds, then CAS will need to resolve attributes for the given target. If CAS cannot identify the given target, I'm not sure what to expect in the logs. A useful test is to use the form '+primary_username' which, if the user is authorized, will show a list of the users eligible for impersonation.

Also keep in mind that not all properties can be applied on the fly. Some changes in the cas.properties file require a restart.

-dirk

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e4d6c44-b65a-6276-5c42-03c8a31c6b53%40wheatoncollege.edu.

Brian Gibson

unread,

Jan 22, 2019, 4:30:24 PM1/22/19

to cas-...@apereo.org

Hi everyone,

Dirk, thanks for all the suggestions, I 'think' I am close. I created the c:\etc\cas\config\surrogates.json file and it looks like this...

{
"bob": ["mary", "jim"]
}

and I am referencing the surrogates.json file from my cas.properties file like this...

cas.authn.surrogate.separator=+
cas.authn.surrogate.json.config.location=file:/etc/cas/config/surrogates.json

When I go to log into a service I enter "mary+bob" in the username field along with bob's password and I get taken to the service successfully as bob (unfortunately not mary) and this is what I see in the logs...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WHO: (Real user: [bob], Surrogate user: [mary])
WHAT: Supplied credentials: [[surrogateUsername=mary]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 22 16:14:47 EST 2019
CLIENT IP ADDRESS: <HIDDEN>
SERVER IP ADDRESS: <HIDDEN>
2019-01-22 16:14:47,559 WARN [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Authentication attribute [samlAuthenticationStatementAuthMethod] has no value and is not collected>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Any ideas on what I'm missing? I don't think I need the surrogate-authentication-rest dependencies since I believe that has to do with building a web page with surrogate users to choose from and in our case we are explicitly referencing the target's name with the personA+PersonB syntax.

Thanks!

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyvXAZONPLMeYzWLMrVypq%2BWBGx-cBbLmpf7jrtpEtfNw%40mail.gmail.com.

Tepe, Dirk

unread,

Jan 22, 2019, 9:05:59 PM1/22/19

to cas-...@apereo.org

Just to be clear, you did include 'cas-server-support-surrogate-webflow' in your dependencies, right? While you don't need the REST dependency, you do need that one.

-dirk

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc224497-52e5-ca24-9911-f14b9d62b968%40wheatoncollege.edu.

Brian Gibson

unread,

Jan 23, 2019, 9:12:52 AM1/23/19

to cas-...@apereo.org, Tepe, Dirk

Hi Dirk,

Unfortunately when I add the "cas-server-support-surrogate-webflow" dependency to my pom.xml file I get the following error when I do "mvn clean package"

[ERROR] Failed to execute goal on project cas-overlay: Could not resolve depende
ncies for project org.apereo.cas:cas-overlay:war:1.0: Could not find artifact or
g.apereo.cas:cas-server-support-surrogate-webflow:jar:5.1.2 in sonatype-releases
(http://oss.sonatype.org/content/repositories/releases/) -> [Help 1]
[ERROR]

From what I remember reading, the 5.1.x docs only mentioned the "cas-server-support-surrogate-authentication" dependency in the Surrogate setup directions and the other surrogate webflow and rest dependencies only started appearing (I think) in the 5.2 docs and above.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJ%3D0EZyN2eC-Kk9e8S5qYPyku1sbTqt4HvH2cBO4JY%3DPUmy9XQ%40mail.gmail.com.

Tepe, Dirk

unread,

Jan 23, 2019, 9:27:03 AM1/23/19

to Brian Gibson, cas-...@apereo.org

Ah, sorry. I overlooked the fact that you are on 5.1. We're on 5.3 and I would expect the configuration you described to work. I unfortunately can't speak to the 5.1 release.

Your log entry indicates the surrogate auth is successful. Do you have an application in which you can enable CAS debugging and dump the result of the validation? You might also set the CAS log to DEBUG and see if that provides anything useful.

-dirk

Aditi Deshmukh

unread,

Aug 17, 2020, 8:45:18 AM8/17/20

to CAS Community

Dirk,

Does attribute release still work for you after including impersonation? It breaks for us after including surrogate-webflow for cas 5.3.5. If it works, could you tell me what changes are needed?

Thanks

Aditi

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.

On Wed, Jan 9, 2019 at 2:48 PM Brian Gibson <gibson...@wheatoncollege.edu> wrote:

Hi all,

Is there a way within a service entry in CAS 5.1 to say that if person A
logs in successfully, send them to the service as person B?

I checked the 5.1 service-related docs but couldn't find anything.

Thanks,

Brian

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/541cb878-ace9-e180-fb86-4f8f66b5ab65%40wheatoncollege.edu.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN4Q%3DDucyHb-sK0qB_STumqg_Aua_egPxz_DFBeyK9bMg%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

Reply all

Reply to author

Forward