CAS 7.3.4 + Entra + Surrogate

[Oscar William]

Hello,

I am building a new CAS server since our old one is on version 5.3.

We are going to have a single service, which is Google Workspace.

We are using DUO MFA for now, but are not going to renew licenses, which ends this month. Because of this, we decided to authenticate on Entra, having the MFA capability for users.

I am able to authenticate on Entra, but I don't get the account impersonation selection after logging in.

I've tested it on LDAP authentication and it works fine.

My question is, is it possible to have this authentication flow?

User access CAS -> CAS redirects to Entra -> User logs in -> Redirect back to CAS showing the list of accounts available for impersonation -> Select the account and login to Google Workspace.

I'm having big trouble trying to make this work, I am GPTing and Geminiying a lot, but got multiple errors.

If I can get a direction, I appreciate it a lot.

Thank you,

[Ray Bon]

Oscar,

I have found that with LDAP authn, the principal and the surrogate have to be in the same ldap search tree. 

It is possible that there is a general expectation that principal and surrogate exist in the same authn source (though I am not sure how that would work with delegated authn).

I changed one line in SurrogateLdapAuthenticationService.java to scan all ldap trees (the code was already in the class, it just was not being used).

Does Entra MFA only apply to the Entra login, or can it be accessed after authn; like Duo?

Does Entra offer a surrogate capability?

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Oscar William <kaka...@gmail.com>
Sent: March 4, 2026 07:53
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.4 + Entra + Surrogate

 

You don't often get email from kaka...@gmail.com. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org.

[Drew Northup]

Ray,
We're implementing delegation to Entra here as well, but we've not gotten into the whole Impersonation functionality (and what controls would need to be imposed around it), so I can't answer for that part.

On Wednesday, March 4, 2026 at 2:59:58 PM UTC-5 Ray Bon wrote:

....

 

Does Entra MFA only apply to the Entra login, or can it be accessed after authn; like Duo?

The MFA functionality, even when still using Duo (for Entra), becomes integrated into the EntraID login experience from the user's perspective. CAS does not do a second call for the MFA in that case, but it does get back the "http://schemas.microsoft.com/claims/authnmethodsreferences" attribute from Entra, which CAS could be programed to ingest and check for a value of "http://schemas.microsoft.com/claims/multipleauthn" (it is a mult-valued attribute). I looked and it does not appear that there is currently a way of using it in CAS however, and it is unlikely that EntraID will pass that back as a proper ACR via SAML2 delegation (which CAS can apparently ingest today).

 

Does Entra offer a surrogate capability?

It appears that does exist, but I have no idea what the limitations and caveats are.