Issue with CAS6 DuoUniversalPrompt + Surrogate Login

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Issue with CAS6 DuoUniversalPrompt + Surrogate Login

Steve Hillman
Hi folks,
  We are currently testing out CAS 6.3 and have found an issue with Surrogate Login support if using the new Duo Universal Prompt support.

Surrogate Login support works by creating a SurrogateUsername Credential object in the Spring “login” webflow. With the legacy Duo (and other MFA) support, MFA authentication happens in a separate sub flow of the “login” flow. Once MFA is successful, control is passed back to the login flow, where the Surrogate credential is found by the loadSurrogateAction and checked for authorization. If authorized, the surrogate username is swapped to the principal username, and surrogate login succeeds.

With the new Duo Universal Prompt, control is passed from CAS to Duo for MFA, and when passed back to CAS, a new login flow is created, where the Duo authentication is verified and finished. Unfortunately, because it’s a new login flow, the Surrogate credential is gone, so the loadSurrogateAction doesn’t see it, and the user ends up logging in as themselves, rather than the surrogate user.

I dug into the source code and the fix for this seems non-trivial. Off the top of my head, I can see two options:
 - Rewrite the Surrogate plugin to rely on attributes being passed along rather than a credential object
 - Rewrite the new Universal Prompt to work as a sub flow and restore the previous login flow from saved state.

I was wondering if any other schools had faced this issue yet, and whether the CAS PMC has this on their radar as something that needs fixing?


Steve Hillman 
IT Architect | IT Services
SH1032 | Simon Fraser University 
8888 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.3960 | M: 604.306.3366 
Twitter: @sfu_it

You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit