Someone smarter than me may need to weigh in on this... but I'll try.
As I understand it, SAML SPs will accept two forms of attribute names. One
form is that "urn" notation that Shibboleth seems to like:
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
The other form is the "friendly name," which is basically just a string,
like "cn" or "uid" or "givenName" or whatever. If you're using LDAP (or AD)
as your directory, then it's likely (although not required) that your
friendly names will just be your LDAP attribute names. I haven't used a
JDBC attribute repository with CAS 5, so I'm not sure what your attribute
names are there, but I'm guessing they're similar.
Anyway, CAS 5 lets you define your attributes, and the names you'd like to
return them under, in cas.properties. So, for LDAP, I have:
cas.authn.attributeRepository.ldap[0].attributes.cn: uid
cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName
cas.authn.attributeRepository.ldap[0].attributes.mail: mail
cas.authn.attributeRepository.ldap[0].attributes.memberOf: memberOf
cas.authn.attributeRepository.ldap[0].attributes.sn: sn
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber: cn
This says that, when I release these attributes to an application, it will
see:
1. Attributes called displayName, givenName, mail, memberOf, and sn with
the values of the LDAP attributes of the same name
2. An attribute called uid that contains the value of the LDAP cn
attribute (i.e., I "rename" the attribute when I release it to the
application)
3. An attribute called cn that contains the value of the LDAP tnsIDNumber
attribute
You can do the same thing with JDBC (according to the documentation anyway;
I don't have a JDBC source to try it against):
cas.authn.attributeRepository.jdbc[0].attributes.uid: uid
cas.authn.attributeRepository.jdbc[0].attributes.last_name: sn
cas.authn.attributeRepository.jdbc[0].attributes.first_name: givenName
and so on.
So....in the simple case, where your SAML SP (the client app) will accept
"friendly" names, you can just return the attributes in exactly the same
way as you do for a CAS service. But, in the other case, where your SAML SP
wants the "urn" names, you'll need to convert whatever names you've
configured in cas.properties to the other notation. You can do this by
using a ReturnMappedAttributeReleasePolicy in the service definition:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "urn:oid:2.5.4.3",
"displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
"givenName" : "urn:oid:2.5.4.42",
"mail" : "urn:oid:0.9.2342.19200300.100.1.3",
"role" : "urn:newschool:attribute-def:role",
"sn" : "urn:oid:2.5.4.4",
"uid" : "urn:oid:0.9.2342.19200300.100.1.1",
"UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
}
Determining WHAT the "urn" values should be is the hardest part. In the
case of the Shibboleth SP (Apache mod_shib), they're defined in
/etc/shibboleth/attribute-resolver.xml.
Note: CAS 5.3, I believe, has added support for returning both the "urn"
and friendly names in the SAML response instead of either/or. I haven't
tried this, but recall seeing it in one of the changelogs...
You might find it helpful to set up a test SAML SP on the RSA IAM Showcase (
https://sptest.iamshowcase.com/). It's free, and dead simple to do
(download their metadata, upload your metadata, create a service registry
entry, done). When you log into their SP, it will display all the
attributes and other SAML data that it got back.
Hope this helps,
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
[image: The New School]
On Mon, May 21, 2018 at 10:46 AM John D Giotta <[email protected]> wrote:
> David,
>
> I'm still trying to understand how user attributes are supposed to work.
> Let's say I'm using JDBC as my source for user data and credentials. If I'm
> writing the JSON service to map datasource fields to SAML attributes, how
> is this done? Is it naming convention? Do I need to include a custom
> mapping Java class?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6131e17-50cc-422f-b9e7-aa33b58b00a9%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6131e17-50cc-422f-b9e7-aa33b58b00a9%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANpo5nNmkdOF7kS1DpRrYcjpxwWSsbTcoPOjehypScjwg%40mail.gmail.com.
