CAS 7.3.4 + Entra + Surrogate
71 views
Skip to first unread message
Oscar William
Mar 4, 2026, 11:53:16 AM (2 days ago) Mar 4
to CAS Community
Hello,
We are going to have a single service, which is Google Workspace.
We are using DUO MFA for now, but are not going to renew licenses, which ends this month. Because of this, we decided to authenticate on Entra, having the MFA capability for users.
I am able to authenticate on Entra, but I don't get the account impersonation selection after logging in.
I've tested it on LDAP authentication and it works fine.
My question is, is it possible to have this authentication flow?
User access CAS -> CAS redirects to Entra -> User logs in -> Redirect back to CAS showing the list of accounts available for impersonation -> Select the account and login to Google Workspace.
I'm having big trouble trying to make this work, I am GPTing and Geminiying a lot, but got multiple errors.
I'm having big trouble trying to make this work, I am GPTing and Geminiying a lot, but got multiple errors.
If I can get a direction, I appreciate it a lot.
Thank you,
Ray Bon
Mar 4, 2026, 2:59:58 PM (2 days ago) Mar 4
to cas-...@apereo.org
Oscar,
I have found that with LDAP authn, the principal and the surrogate have to be in the same ldap search tree.
It is possible that there is a general expectation that principal and surrogate exist in the same authn source (though I am not sure how that would work with delegated authn).
I changed one line in SurrogateLdapAuthenticationService.java to scan all ldap trees (the code was already in the class, it just was not being used).
Does Entra MFA only apply to the Entra login, or can it be accessed after authn; like Duo?
Does Entra offer a surrogate capability?
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Oscar William <kaka...@gmail.com>
Sent: March 4, 2026 07:53
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.4 + Entra + Surrogate
Sent: March 4, 2026 07:53
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.4 + Entra + Surrogate
|
You don't often get email from kaka...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec4d9be5-f30f-4de9-be6c-428081157e29n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages