Impersonation (Surrogate) with MFA Failing

[chip nurmi]

So, I'll preface this with the understanding that Impersonation (surrogate) is a 'development' feature, but I figured I would still try and reach out to understand the situation.

Working with CAS 6.6.0, when I try and enable Impersonation and Simple MFA, impersonation breaks.  

Details:  

Working with a stock 6.6.0 overlay and a custom cas.properties, if I disable the MFA trigger, impersonation works as intended (both via selection screen and via user1+user2 on login).

As soon as I enable the MFA trigger:

  cas.authn.mfa.triggers.global.global-provider-id=mfa-simple

... then I get one of two problems happening:

1) Using the impersonation menu (e.g. +username)

When I attempt this, I get the MFA flow for the principal user, and it skips the impersonation selection screen.  Login works, no impersonation allowed.

2) Using the login name (e.g. surrogateuser+principaluser)

When I attempt this, the MFA validation fails with the following error:

2022-09-21 10:43:13,779 WARN [org.apereo.cas.mfa.simple.validation.DefaultCasSimpleMultifactorAuthenticationService] - <Principal assigned to token [principaluser] is unauthorized for token [CASMFA-######]>
2022-09-21 10:43:13,811 ERROR [org.apereo.cas.mfa.simple.CasSimpleMultifactorAuthenticationHandler] - <Failed to authenticate code CASMFA-######
        DefaultCasSimpleMultifactorAuthenticationService.java:validate:76
        CasSimpleMultifactorAuthenticationHandler.java:doAuthentication:63
        AbstractPreAndPostProcessingAuthenticationHandler.java:authenticate:47
>

Of these two errors, my biggest priority would be getting #1 working.  Anyone else have any luck getting impersonation to work with MFA?

Thanks,

Chip Nurmi