Hi Jérôme,
I am using the JSON service registry. The service is registered as
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php";,
"name" : "testClient01",
"id" : 1,
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
"canonicalizationMode" : "NONE"
}
}
So I believe the correct attribute release policy is in place to release all
attributes to the service.
The CAS log file contains this WARN message:
2018-03-24 10:02:59,411 WARN
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] -
<Principal
[AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]
does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among
attributes [{}] so CAS cannot provide the user attribute the service expects.
CAS will instead return the default principal id
[AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==].
Ensure the attribute selected as the username is allowed to be released by the
service attribute release policy.>
So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but
earlier in the log file pac4j logs
2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile: #S
AML2Profile# | id: AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG
tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM
RXjnFqsso5giA== | attributes: {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail
.com], mail=[[email protected]], urn:oid:0.9.2342.19200300.100.1.1=[scott.koran
da], displayName=[Scott Koranda], givenName=[Scott], urn:oid:2.5.4.42=[Scott], n
otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda], urn:oid:2.16.840.1.11373
0.3.1.241=[Scott Koranda], urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher
icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z, eduPersonPrincipalName
=[[email protected]], urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions: [] |
isRemembered: false | clientName: null | linkedId: null |>
where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
be populated.
Am I missing something in my JSON service configuration?
Again this is for version 5.1.3.
Thanks,
Scott K
> Hi,
>
> The behavior is to create the CAS principal and attributes from the pac4j
> principal and attributes. So you should get the pac4j attributes at the end.
> Ignore the log about the ClientCredential, the toString method just outputs
> the id (not the attributes).
>
> Is the service configured properly (with ReturnAllAttributeReleasePolicy
> for example)?
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda <[email protected]> wrote:
>
> > Hi,
> >
> > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > depending on the issue of which binding is being used for the
> > <AuthnRequest>, as detailed in an earlier note to this list).
> >
> > I am delegating authentication to a SAML2 IdP using pac4j.
> >
> > After a successful authentication I see in cas.log
> >
> > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > <profile: #SAML2Profile# | id: AAdzZWNyZXQxQJ7RzalR0+
> > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > 8uqJp0pzRmivQ== |
> > attributes:
> > {urn:oid:0.9.2342.19200300.100.1.3=[[email protected]], mail=[
> > [email protected]],
> > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > Koranda], givenName=[Scott],
> > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > uid=[scott.koranda],
> > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[[email protected]],
> > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > eduPersonPrincipalName=[[email protected]],
> > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > null |>
> >
> > Those are the values for NameID (transient) and attributes that I
> > expect.
> >
> > The next line in cas.log is
> >
> > 2018-03-22 14:44:46,402 INFO
> > [org.apereo.cas.authentication.AbstractAuthenticationManager] -
> > <Authenticated principal
> > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> > with attributes [{}] via credentials
> > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
> >
> > So it appears that the NameID value (transient) is being used as the
> > principal, but none of the attributes are making it from the pac4j layer
> > into the CAS layer.
> >
> > Is that a correct assessment?
> >
> > If so, how can I
> >
> > a) change what value is used for the principal? I would like to use the
> > value from one of the asserted attributes.
> >
> > b) push the attributes into the CAS layer to make them available for
> > assertion downstream to the CAS client?
> >
> > I have reviewed the documentation for the Delegated/pac4j authentication at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Delegate-
> > Authentication.html
> >
> > and that for Attribute Resolution at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
> >
> > but I am not able to find a configuration option that appears to tell
> > pac4j to push the attributes into the Authentication object.
> >
> > Thank you for your consideration.
> >
> > Scott K
> >
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To view this discussion on the web visit https://groups.google.com/a/
> > apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.
> > local.
> >
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxnu8HSxPMQzxLvCW0Ee0-RmBVEGq%2BC67PRqajwz0Q5Tg%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180324102100.s2ymitcj65fpicb4%40paprika.local.
