Issue with CAS6 DuoUniversalPrompt + Surrogate Login
We are currently testing out CAS 6.3 and have found an issue with Surrogate Login support if using the new Duo Universal Prompt support.
Surrogate Login support works by creating a SurrogateUsername Credential object in the Spring “login” webflow. With the legacy Duo (and other MFA) support, MFA authentication happens in a separate sub flow of the “login” flow. Once MFA is successful,
control is passed back to the login flow, where the Surrogate credential is found by the loadSurrogateAction and checked for authorization. If authorized, the surrogate username is swapped to the principal username, and surrogate login succeeds.
With the new Duo Universal Prompt, control is passed from CAS to Duo for MFA, and when passed back to CAS, a
new login flow is created, where the Duo authentication is verified and finished. Unfortunately, because it’s a new login flow, the Surrogate credential is gone, so the loadSurrogateAction doesn’t see it, and the user ends up logging in as themselves,
rather than the surrogate user.
I dug into the source code and the fix for this seems non-trivial. Off the top of my head, I can see two options:
- Rewrite the Surrogate plugin to rely on attributes being passed along rather than a credential object
- Rewrite the new Universal Prompt to work as a sub flow and restore the previous login flow from saved state.
I was wondering if any other schools had faced this issue yet, and whether the CAS PMC has this on their radar as something that needs fixing?
Steve Hillman IT Architect | IT Services SH1032 | Simon Fraser University 8888 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.3960 | M: 604.306.3366