Surrogate authentication failing

[Tepe, Dirk]

We're interested in using surrogate authentication for some support staff. I had done a quick proof-of-concept under CAS 5.2.x a while ago, enough to demonstrate it worked. We are now working with 5.3.3 and starting to build the actual functionality, but are running into a problem. I'm using a static entry in the cas.properties file and have removed several dependencies added since the POC.

Some relevant snippets from the log are included below. I have run this with DEBUG and did not see anything immediately more helpful.

You can see that the surrogate authorization is actually successful in the first chunk and the service ticket is successfully validated. The problem appears to be in the building of the validation response. It looks like surrogate authentication changes at least one of the credential attributes from a string to hash and causes this problem.

This seems somewhat similar to another thread related to the MFA bypass functionality giving a INVALID_AUTHENTICATION_CONTEXT error, also when building the response after successful service ticket validation.

Has anyone dealt with this type of issue?

Thanks,

-dirk

2018-09-10 14:09:38,399 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"(Primary User: [[v*****]], Surrogate User: [[t*****]])","what":"[result=Service Access Granted,service=https://web.test/duo-validator/duo,requiredAttributes={}]","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Mon Sep 10 14:09:38 UTC 2018","clientIpAddress":"192.168.34.1","serverIpAddress":"192.168.34.120"}>

2018-09-10 14:09:38,436 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1] for service [https://web.test/duo-validator/duo] and principal [t*****]>

2018-09-10 14:09:38,442 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"(Primary User: [[v*****]], Surrogate User: [[t*****]])","what":"ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1 for https://web.test/duo-validator/duo","action":"SERVICE_TICKET_CREATED","application":"CAS","when":"Mon Sep 10 14:09:38 UTC 2018","clientIpAddress":"192.168.34.1","serverIpAddress":"192.168.34.120"}>

...

2018-09-10 14:09:41,886 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"(Primary User: [[v*****]], Surrogate User: [[t****]])","what":"ST-1-UHQvQ88buWL-FRkdZBgbQxX0N78cas-1","action":"SERVICE_TICKET_VALIDATED","application":"CAS","when":"Mon Sep 10 14:09:41 UTC 2018","clientIpAddress":"192.168.34.10","serverIpAddress":"192.168.34.120"}>

2018-09-10 14:09:41,944 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is java.lang.ClassCastException: java.util.LinkedHashSet cannot be cast to java.lang.String] with root cause>

java.lang.ClassCastException: java.util.LinkedHashSet cannot be cast to java.lang.String

  at org.apereo.cas.services.web.view.AbstractCasView.getAuthenticationAttribute(AbstractCasView.java:160) ~[cas-server-core-web-api-5.3.3.jar!/:5.3.3]

  at org.apereo.cas.services.web.view.AbstractCasView.decideIfCredentialPasswordShouldBeReleasedAsAttribute(AbstractCasView.java:309) ~[cas-server-core-web-api-5.3.3.jar!/:5.3.3]

  at org.apereo.cas.web.view.Cas30ResponseView.prepareMergedOutputModel(Cas30ResponseView.java:73) ~[cas-server-support-validation-5.3.3.jar!/:5.3.3]