[cas-user] CAS 5.2.6 - Delegated Authentication against Azure AD (SAML) - How to map the attributes into cas client

[Raghavan TV]

>
> Hi all

We are able to successfully integrate the CAS 5.2.6 in delegated 
authentication mode against Azure AD as SAML Idp

Post integration the CAS Server Response looks as follows

Azure SAML Response

<samlp:Response
    
Destination="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML";
    ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
    IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
    <samlp:Status><samlp:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" 
IssueInstant="2018-10-04T13:22:05.275Z"
        Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        
<Issuer>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <SignedInfo><CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784">
                    <Transforms><Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    
<DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>...</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>...</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nY16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud66</NameID>
            <SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
                NotOnOrAfter="2018-10-04T13:27:05.275Z"
                
Recipient="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/></SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2018-10-04T13:17:05.275Z" 
NotOnOrAfter="2018-10-04T14:17:05.275Z">
            <AudienceRestriction>
                
<Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/tenantid";>
                
<AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/objectidentifier";>
                
<AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";>
                <AttributeValue>xx...@aaaa.onmicrosoft.com</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/displayname";>
                <AttributeValue>Firstname Lastname</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/identityprovider";>
                
<AttributeValue>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/claims/authnmethodsreferences";>
                
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
                
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z"
            SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784">
            <AuthnContext>
                
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>




CAS Client Response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user>
        <cas:attributes>
            <cas:isFromNewLogin>true</cas:isFromNewLogin>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>
            
<cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate>
            <cas:clientName>MY_SAML</cas:clientName>
            
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname
 
Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>
            <cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore>
            <cas:credentialType>ClientCredential</cas:credentialType>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/claims/multipleauthn</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>
            
<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>myuse...@mydomain.onmicrosoft.com</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>
            
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>
            <cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter>
            
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
            
<cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex>
            </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>


Now, this response parsing is failing in WildFly or Jboss-EAP because the 
underlying XML parser xercesImpl does not allow XML element starting with 
numeric data

So, to make it more standard, we are trying to use attributeResolver on the 
cas server side (e.g. /etc/cas/service/app-200.json)
However, we are not able to rename the SAML response attribute sent into 
CAS client

We have tried
1)  MappedAttributePolicy
"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "name" : "username",
      "displayname" : "userdisplayname"
    }
}




2) via Groovy config
"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "name" : "username",
      "displayname" : "userdisplayname"
      "someattributename": "groovy { return attributes['name']}"
     }
}

Any pointers on how to configure the attribute name translation is deeply 
appreciated


Thanks
-Raghav



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/807f9d9d-f17f-4cc9-8088-b775bf018ca0%40apereo.org.