Hello,
Alright! Would it be possible to access authentication attributes in CAS
during authentication process?
We are using a groovy script to map the final user attributes released in
the Principal and the authentication attributes are not present in the
"currentAttributes"
parameter passed to the script either (guess this is normal).
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://.*";,
"name": "HTTPS",
"id": 10000001,
"evaluationOrder": 10000,
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "principalId"
},
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.GroovyScriptAttributeReleasePolicy",
"groovyScript":
"classpath:/cas/config/services/mapearAtributos.groovy"
}
}
Besides, I observed that the script runs twice per user authenticated. This
only happens when the username attribute provider is configured to return
an attribute that is already resolved for the principal as seen above. Not
a big deal but, is there a way to prevent the script running twice?
Thank you!!
Best regards,
David.
El martes, 13 de noviembre de 2018, 16:45:50 (UTC+1), leleuj escribió:
>
> Hi,
>
> You are missing nothing. pac4j authentication attributes are not used to
> build the CAS principal, only the user attributes.
> Thanks.
> Best regards,
> Jérôme
>
>
>
> On Tue, Nov 13, 2018 at 3:48 PM David Oteo <[email protected] <javascript:>>
> wrote:
>
>> Hi,
>>
>> We configured CAS 5.2.2 to delegate authentication to an external IdP
>> through SAML. In the SAML response there is an "AuthnContext" tag that does
>> not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j
>> v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that
>> this functionality was added to pac4j v2.2.
>>
>> I see this in the logs:
>>
>> [13/11/18 15:13:42:484 CET] 00000147 SystemOut O 2018-11-13
>> 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] - <adding => key:
>> authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert]
>> / class java.util.ArrayList>
>>
>> but the attribute is not present in the user profile:
>>
>> [13/11/18 15:13:42:547 CET] 00000147 SystemOut O 2018-11-13
>> 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile:
>> #SAML2Profile# | id: CN=CORPREC FICTICIO ACTIVO, O=EMPTY | attributes:
>> {country=[ES], cif=[Q3890349H], birthdate=[EMPTY], key_usage=[EMPTY],
>> not_before=[2017-03-16T12:15:29Z], subject=[SERIALNUMBER=99999988J,
>> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
>> CN=CORPREC FICTICIO ACTIVO,
>> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
>>
>> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
>> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
>> C=ES], tsl=[S], issuer=[CN=CA personal de AAPP vascas (2) - DESARROLLO,
>> OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES],
>> notBefore=2018-11-13T14:13:41.480Z, surname1=[FICTICIO], surname2=[ACTIVO],
>> dni=[99999988J], email=EMPTY, tipoAfirma=[0], firmaCualificada=[S],
>> naturalPersonSemanticsIdentifier=[IDCES-99999988J],
>> legalPersonSemanticsIdentifier=[VATES-Q3890349H], serial_number=[C6o=],
>> preferencia_otp=[sms], given_name=[CORPREC], pais=[ES],
>> not_after=[2021-03-16T12:15:29Z], register_type=[1],
>> policy_identifier=[1.3.6.1.4.1.14777.104.2], person_status=[PF],
>> organization=[EMPTY], domain=[izenpe], name=[CORPREC FICTICIO ACTIVO],
>> notOnOrAfter=2018-11-13T14:18:41.480Z, family_name=FICTICIO ACTIVO} |
>> roles: [] | permissions: [] | isRemembered: false | clientName: null |
>> linkedId: null |>
>>
>> What am I missing here?
>>
>> Thank you very much once again!!
>>
>> Best regards,
>> David.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b40c3d58-1281-43e8-917b-8e76ca204241%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b40c3d58-1281-43e8-917b-8e76ca204241%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ded036c-c303-4394-a585-90307590afc4%40apereo.org.
