WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.

Account Selection - Surrogate Authentication

The surrogate user selection can happen via the following ways.

This is the case where the surrogate user identity is known beforehand and is provided to CAS upon login using a special syntax. When entering credentials, the following syntax should be used:
```
1

[surrogate-userid][separator][primary-userid]
```
For example, if you are casuser and you need to switch to jsmith as the surrogate user, the credential id provided to CAS would be jsmith+casuser where the separator is + and can be altered via the CAS configuration. You will need to provide your own password of course.
This is the case where the surrogate user identity is not known beforehand, and you wish to choose the account from a pre-populated list. When entering credentials, the following syntax should be used:
```
1

[separator][primary-userid]
```
For example, if you are casuser and you need to locate the surrogate account to which you may want to switch, the credential id provided to CAS would be +casuser where the separator is + and can be altered via the CAS configuration. You will need to provide your own password of course.
The underlying account store can mark a primary impersonator account with special permissions and privileges to allow it to impersonate any other account. Accounts that are whitelisted and wildcarded in this strategy are not assigned a specific list of authorized impersonatees but instead are able to impersonate any other username without any restrictions or additional checks.

Usage Warning
Be careful with this strategy! Designating an account as a wildcard will disable any and all other checks on the surrogate/impersonatee account and CAS will completely back away from validating and verifying the requested surrogate account.

To designate an account as a wildcard, the account store must be able to return and provide a list of authorized impersonatee accounts for the primary user with * as the only entry in the list, indicating the primary user is authorized to impersonate anyone. Also, note that account selection using a GUI approach is disabled and turned off for wildcarded accounts. The primary user tagged as a wildcard must begin the impersonation flow using the Preselected approach with a known surrogate user.