Does CAS Support Application Level Impersonation?

Question

I have a PHP application that is successfully authenticating against a CAS server. One of the features supported by the application is impersonation; a user with the appropriate privileges can impersonate another of the application. Generally, this isn't a problem because the app itself can keep track of who the user is impersonating and manage privileges (which are based on username).

A new requirement has come up, though, that requires the original app to include, via an iframe, content from a second PHP app that is also CAS-enabled. Somehow, I need for the second app to know whether impersonation is happening in the first. I don't want to pass usernames around for security reasons, so I'm wondering whether I can offload the responsibility for handling impersonation to the CAS server which is shared by both apps.

Thanks.

Answer 1

The more we considered this and tried to get something worked out, it seemed more and more likely that this just isn't available in CAS and perhaps shouldn't be. If we accept that CAS's sole purpose is to identify a user and ensure that the user is who they say they are, then it doesn't make much sense to be someone else.

This is just me speculating about the underlying justification, but I feel pretty comfortable saying that CAS doesn't offer impersonation functionality.