Surrogate Authentication - CAS 5.2.6

[Aaron J.]

I am having trouble limiting accounts to which a user can log in as a surrogate to.

I want to restrict eligible surrogates to a list based on membership in an LDAP group.

The following properties work great when using the GUI method to select surrogates.

However, when I use the Preselected method I am allowed to surrogate as any valid user, which should not be allowed.

Any help would be greatly appreciated. Thanks.

pom.xml

<dependency>

    <groupId>org.apereo.cas</groupId>

    <artifactId>cas-server-support-surrogate-webflow</artifactId>

     <version>${cas.version}</version>

</dependency>

<dependency>

    <groupId>org.apereo.cas</groupId>

    <artifactId>cas-server-support-surrogate-authentication-ldap</artifactId>

    <version>${cas.version}</version>

</dependency>

cas.properties

cas.authn.surrogate.separator=+

cas.authn.surrogate.ldap.ldapUrl=ldaps://<my ldap server>

cas.authn.surrogate.ldap.bindDn=<my ldap user>

cas.authn.surrogate.ldap.bindCredential=<my ldap password>

cas.authn.surrogate.ldap.baseDn=<my base dn>

cas.authn.surrogate.ldap.subtreeSearch=true

cas.authn.surrogate.ldap.searchFilter=cn={user}

cas.authn.surrogate.ldap.surrogateSearchFilter=cn={user}

cas.authn.surrogate.ldap.memberAttributeName=groupMembership

cas.authn.surrogate.ldap.memberAttributeValueRegex=cn=(?:Group1|Group2)...(.*),ou=groups,o=domain