[Cas 6.0.7] Surrogate attributes are lost when account is selected in GUI mode

[Michele Melluso]

Hi all,

I'm trying to implement surrogate authentication on Cas 6.0.7 with account selection both preselected and gui mode.

I actually manage to authenticate in both modes, but qith gui account selection mode the surrogate attributes are lost.

With preselection mode (correct):

WHO: (Primary User: [[myoperator, myoperator]], Surrogate User: [[mycustomer, mycustomer]])

WHAT: TGT-2-*****EtKSM5O9Bc-myhost-local

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Thu Dec 05 15:44:18 CET 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

With Gui mode (wrong):

=============================================================

WHO: myoperator

WHAT: Supplied credentials: [UsernamePasswordCredential(username=myoperator, source=null)]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Thu Dec 05 15:56:09 CET 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

>

2019-12-05 15:56:26,724 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: mycustomer

WHAT: TGT-4-*****92QlWz5Vs4-myhost-local

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Thu Dec 05 15:56:26 CET 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

turning on debug log there is no significant difference:

1) Attributes seem to be merged correctly ( DEBUG [org.apereo.cas.authentication.CoreAuthenticationUtils] - <Merged attributes with the final result as [{iduser=[myoperatorid, mycustomerid],)

2) the princial is always nominated as mycustomer

Accounts are stored using jdbc and tickets are exported in JWT.

Any idea on how I can get surrogate attributes to be exported also using gui mode?

Thanks in advance

Michele

[Andy Ng]

Hi Michele,

I have setup a surrogate authentication demo in my testing docker environment, I tried both CAS version 6.0.7 and 6.1.2 and the surrogate attribute seems to be working just fine.

I don't want to setup the exact config as yours, since it might take some time. Instead, I used the following setup :

- Static Authentication

- Json Attribute Storage

- Json Surrogate Authentication mapping

- PHPCas Client

I got the following account setup:

- Username: surrogate-admin, Attribute: name = Surrogate Admin

- Username: surrogate-user, Attribute: name = Surrogate User

- And surrogate-admin and surrogate-user is a surrogate relationship.

Result in the testing enviornment is that:

After login with surrogate-user using surrogate-admin credential, my client shows the correct attributes (Surrogate User).

Is the above something similar to what you want to archive? Or by surrogate attribute you have different envision of how the attribute should be retrieved?

I will paste some of my config below so you can have a look if you like to:

-------------------------------------------------------------------------------------------------------------------------------------------------------

cas.yml

cas.authn.accept.users: surrogate-admin::Mellon,surrogate-user::Mellon,surrogate-user2::Mellon

cas.authn.surrogate.json.location: file://${RESOURCE_PATH}/${PROTOCOL_SURROGATE_AUTHENTICATION_PATH}/surrogate.json

cas.authn.attributeRepository.json:

- location: file://${RESOURCE_PATH}/${PROTOCOL_SURROGATE_AUTHENTICATION_PATH}/surrogate-attributes.json

surrogate-attributes.json

{

"surrogate-user": {

"name":["Surrogate User"]

},

"surrogate-user2": {

"name":["Surrogate User2"]

},

"surrogate-admin": {

"name":["Surrogate Admin"]

}

}

surrogate.json

{

"surrogate-admin": ["surrogate-user", "surrogate-user2"]

}

And I login using the following 2 methods:

    - GUI mode: `+surrogate-admin` as , `Mellon` as password. Then select my surrogate target.

    - preselection mode: `surrogate-admin+surrogate-user` as username, `Mellon` as password.

See if the above helps...

Cheers!

- Andy

[Michele Melluso]

Hi Andy,

I did setup my environment as yours and I also receive the surrogate user attributes.

My problem is about these ones:

https://apereo.github.io/cas/6.0.x/installation/Surrogate-Authentication.html#surrogate-attributes

In both methods I correctly receive surrogate user attributes,

but only in preselection mode i receive surrogate principal ones.

I tried with you suggested json conf both in cas 6.0 and 6.2 versions.

Thanks again
Michele

[Andy Ng]

Hi Michele,

I see, you are talking about can't receive the principal attribute.

Kind of busy these days, when free will take a look into it.

- Andy

[Michele Melluso]

Hi Andy,

did you manage to have a look at the issue? Now I'm again on it and I'm debugging looking for a solution.

thanks again for your time

Michele

[Andy Ng]

Hi Michele,

I recalled I spent a few hours looking and testing into this issue, and didn't find any meaningful progress so I stopped my research.

Sorry to disappoint, let see if the others in the communities have more idea into this issue...

Cheers!

- Andy

[Michele Melluso]

Hi Andy,

finally I found it out:

the principal attributes are not added because of this class is not triggered:

SurrogateAuthenticationMetaDataPopulator.java

I tried to fix it and create a pull request by acting on SurrogateInitialAuthenticationAction.java but then i had to modify webflow and SurrogateAuthenticationPostProcessor.java

but i didn't find any acceptable solution.

I ended up with a quick and dirty solution consisting into adding the authentication attributes afterwards:

SurrogatePrincipalBuilder.java

            authentication.getAttributes().put(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL, authentication.getPrincipal().getId());

           authentication.getAttributes().put(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_USER, surrogatePrincipal.getId());

           authentication.getAttributes().put(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_ENABLED, Boolean.TRUE.toString());

just in case anyone else may need it.

Thank you again for your time

Regards

Michele