I'm trying to configure surrogate authentication on a CAS 5.3.4 using LDAP as the backend for both normal and surrogate authentication. While I've managed to get it to work (it's possible to log on as another user), I'm having problems with the attribute resolution.
Here is the configuration for the main authentication: cas.authn.ldap[0].name: LDAP cas.authn.ldap[0].type: ANONYMOUS cas.authn.ldap[0].poolPassivator: NONE cas.authn.ldap[0].ldapUrl: ldaps://ldap.agrocampus-ouest.fr cas.authn.ldap[0].connectionStrategy: ROUND_ROBIN cas.authn.ldap[0].baseDn: ou=people,dc=agrocampus-ouest,dc=fr cas.authn.ldap[0].subtreeSearch: false cas.authn.ldap[0].validator.type: SEARCH cas.authn.ldap[0].validator.baseDn: dc=agrocampus-ouest,dc=fr cas.authn.ldap[0].validator.searchFilter: (ou=people) cas.authn.ldap[0].validator.scope: ONELEVEL cas.authn.ldap[0].searchFilter:(|(uid={user})(mail={user})(eduPersonPrincipalName={user})) The configuration for the surrogates is: cas.authn.surrogate.ldap.name: LDAP Surrogates cas.authn.surrogate.ldap.baseDn: ou=people,dc=agrocampus-ouest,dc=fr cas.authn.surrogate.ldap.poolPassivator: NONE cas.authn.surrogate.ldap.ldapUrl: ldaps://ldap.agrocampus-ouest.fr cas.authn.surrogate.ldap.connectionStrategy: ROUND_ROBIN cas.authn.surrogate.ldap.validator.type: SEARCH cas.authn.surrogate.ldap.validator.baseDn: dc=agrocampus-ouest,dc=fr cas.authn.surrogate.ldap.validator.searchFilter: (ou=people) cas.authn.surrogate.ldap.validator.scope: ONELEVEL cas.authn.surrogate.ldap.memberAttributeName: uid cas.authn.surrogate.ldap.memberAttributeValueRegex: .* cas.authn.surrogate.ldap.surrogateSearchFilter: (&(uid={user})(memberOf=cn=dsi,ou=groups,dc=agrocampus-ouest,dc=fr)) Finally, I have the following configuration for the attribute repository: cas.personDirectory.principalAttribute: uid cas.authn.attributeRepository.ldap[0].ldapUrl:ldaps://ldap.agrocampus-ouest.frcas.authn.attributeRepository.ldap[0].poolPassivator: NONE cas.authn.attributeRepository.ldap[0].connectionStrategy: ROUND_ROBIN cas.authn.attributeRepository.ldap[0].searchFilter: (|(uid={0})(mail={0})(eduPersonPrincipalName={0}))cas.authn.attributeRepository.ldap[0].validator.type: SEARCH cas.authn.attributeRepository.ldap[0].validator.baseDn:dc=agrocampus-ouest,dc=frcas.authn.attributeRepository.ldap[0].validator.searchFilter: (ou=people)cas.authn.attributeRepository.ldap[0].validator.scope: ONELEVEL cas.authn.attributeRepository.ldap[0].baseDn: ou=people,dc=agrocampus-ouest,dc=frcas.authn.attributeRepository.ldap[0].subtreeSearch: false cas.authn.attributeRepository.ldap[0].attributes.memberOf: memberOf # More attributes here This configuration works well when authenticating users normally. However, when using surrogate authentication, the CAS server adds attributes from both the primary and surrogate principals, resulting in a principal with two UIDs, two givenNames, etc..., for example: 2018-10-29 17:34:41,797 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Determined primary authentication principal to be [SimplePrincipal(id=ldurande, attributes={uid=[ebenoit, ldurande], **snip*** Does anyone have an idea of what the problem might be? Thanks in advance. LiOnel. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/377c734e-2985-4a92-89d3-f535aafc6519%40apereo.org.