The "ReturnMappedAttributeReleasePolicy" is not a method for returning
attribute values, it's a method for changing the name of an attribute when
you release it.
For example, suppose you have an application that wants you to give it an
attribute called "LastName". But your Active Directory, of course, keeps
the last name in an attribute called "sn". So, in the service registry for
that service, you would specify something like this:
...
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "LastName",
"givenName" : "givenName",
"cn" : "cn",
}
},
...
This says you're going to get the values of the cn, givenName, and sn
values from your attribute repository (Active Directory or whatever), and
send them over to the client. BUT, when you do that, you're going to call
them cn, givenName, and LastName instead. So for me, the client might get
something like:
cn=curryd, givenName=David, LastName=Curry
(in whatever format the protocol it's speaking with the CAS server provides
that information).
So what you're specifying there, is that you're going to send four
attributes back to AWS: description, extenstionAttribute1,
extensionAttribute2, and extensionAttribute3. But when you send them back,
you're going to call them by those 3 URLs and "SessionDuration". So AWS is
going to get something like:
https://aws.amazon.com/SAML/Attributes/Role=<some value>,
https://aws.amazon.com/SAML/Attributes/Role=<some value>,
https://aws.amazon.com/SAML/Attributes/RoleSessionName=<some
value>,SessionDuration=<some value>
(again, in whatever format the protocol CAS is speaking with AWS specifies)
which, I presume, is not what you want. :-)
I believe there is a way to release the same attribute value with more than
one name, but I don't use it myself, so I don't know the details of what
version that functionality was added in, or how it's actually configured.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales <[email protected]>
wrote:
> David,
>
> I'm using Json Service Registry.
> You're telling me that the responsible for multi-value attributes is not
> the service registry but the repository 'im using? (In my case Active
> Directory).
>
> So, let me show you the example i'm using.
>
> I need to map a multi-value attribute for the attribute "
> https://aws.amazon.com/SAML/Attributes/Role";
>
> Here an example of my JSON.
>
> {
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "urn:amazon:webservices",
> "name" : "AWS",
> "id" : 10000003,
> "description" : "CAS AWS",
> "signAssertions" : true,
> "signResponses" : true,
> "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
> "extensionAttribute1" : "https://aws.amazon.com/SAML/Attributes/Role
> ",
> "extensionAttribute2" : "
> https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
> "extensionAttribute3" : "SessionDuration"
> }
> },
> "evaluationOrder" : 1125
> }
>
>
> What i need is to use the values of "description" and
> "extensionAttribute1" in the same attribute, in this case "
> https://aws.amazon.com/SAML/Attributes/Role";
>
> I've try to use the attribute Repository but still returns only one value
>
> Here's my .prop file:
>
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=sAMAccountName={user}
> cas.authn.ldap[0][email protected]
> cas.authn.ldap[0].bindCredential=Teste@123
> cas.authn.ldap[0].dnFormat=%[email protected]
> cas.authn.ldap[0].principalAttributeId=sAMAccountName
> cas.authn.ldap[0].principalAttributePassword=unicodePwd
>
> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
> cas.authn.ldap[0].failFast=false
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
> cas.authn.attributeRepository.ldap[0][email protected]
> cas.authn.attributeRepository.ldap[0].bindCredential=********
> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
>
> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.attributeRepository.ldap[0].useSsl=false
> cas.authn.attributeRepository.ldap[0].useStartTls=false
> cas.authn.attributeRepository.ldap[0].name=AD
> cas.authn.attributeRepository.expirationTime=30
> cas.authn.attributeRepository.expirationTimeUnit=MINUTES
> cas.authn.attributeRepository.maximumCacheSize=10000
> cas.authn.attributeRepository.merger=MERGE
>
> cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
> # cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
> # cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>
> Can you help me on this quest.?
>
> I'm from Brazil, so i'm sorry for my English or anything.
>
> Thanks in advice and i've appreciate your help.
>
>
> Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry
> escreveu:
>>
>> Since I'm the only "David" I see in this thread I assume you're asking
>> me... but I'm not sure I understand the question. Where are you putting the
>> JSON that you're expecting CAS to consume it and then spit it out in a SAML
>> response?
>>
>> Normally, CAS will get the attributes from whatever repositories you
>> configure it to use, and take care of putting them into the response
>> itself; you don't have to specify any JSON. As far as I know, multi-valued
>> attributes should work just fine with that.
>>
>> The JSON I provided back earlier in this thread was in a service registry
>> definition to show how to rename attributes, not provide their values.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • [email protected]
>>
>>
>> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales <[email protected]>
>> wrote:
>>
>>> Hi David!
>>>
>>> i'm praying that you see my question now because i really need your help.
>>> I want to thank you because you really helped me showing the .json
>>> configurattion.
>>> But i need some help on this.
>>>
>>> How do i manage to do a multi value attribute on json.
>>> I need the SAML response to be like this
>>>
>>> <Attribute Name="attribute"> <AttributeValue>1</AttributeValue> <
>>> AttributeValue>2</AttributeValue> <AttributeValue>3</AttributeValue> </
>>> Attribute>
>>>
>>> Can you help me on this man?
>>>
>>> Regards
>>>
>>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>>>
>>>>
>>>>
>>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth
>>>> mod_shib/shibd plug-in:
>>>>
>>>> {
>>>> "@class" :
>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>> "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
>>>> "name" : "Apache Secured By SAML",
>>>> "id" : 1509030300,
>>>> "description" : "CAS development Apache mod_shib/shibd server with
>>>> username/password protection",
>>>> "metadataLocation" : "
>>>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
>>>> "attributeReleasePolicy" : {
>>>> "@class" :
>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>> "allowedAttributes" : {
>>>> "@class" : "java.util.TreeMap",
>>>> "cn" : "urn:oid:2.5.4.3",
>>>> "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>>> "givenName" : "urn:oid:2.5.4.42",
>>>> "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>>> "role" : "urn:newschool:attribute-def:role",
>>>> "sn" : "urn:oid:2.5.4.4",
>>>> "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>>> "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
>>>> }
>>>> },
>>>> "evaluationOrder" : 1125
>>>> }
>>>>
>>>> But if your SP doesn't care about the funky notation, you can just do
>>>> it the "regular" way... here's a definition for a test SP created via RSA's
>>>> free IAMShowcase site (this is a cut-down copy of the entire registry entry
>>>> to show the part you're interested in):
>>>>
>>>> {
>>>> "serviceId": "IAMShowcase",
>>>> "name": "RSA SAML Test Service Provider",
>>>> "theme": null,
>>>> "informationUrl": null,
>>>> "privacyUrl": null,
>>>> "id": 1202469081,
>>>> "description": "The URL for the SP that talks to this service is
>>>> https://sptest.iamshowcase.com/ixs?idp=<snip>",
>>>> "evaluationOrder": -1,
>>>> "attributeReleasePolicy": {
>>>> "@class":
>>>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>>> "allowedAttributes": [
>>>> "displayName",
>>>> "givenName",
>>>> "sn",
>>>> "uid"
>>>> ]
>>>> }
>>>> }
>>>>
>>>>
>>>> --Dave
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> DAVID A. CURRY, CISSP
>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>> INFORMATION TECHNOLOGY
>>>>
>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>> +1 212 229-5300 x4728 • [email protected]
>>>>
>>>> [image: The New School]
>>>>
>>>> On Wed, May 16, 2018 at 9:07 AM, John D Giotta <[email protected]>
>>>> wrote:
>>>>
>>>>> Do you have an example of this?
>>>>>
>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cef00c55-1c57-49a2-a3b9-0de76dcbfcd1%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cef00c55-1c57-49a2-a3b9-0de76dcbfcd1%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOvXdQYJ2_rZYdfzmUyZiNE18nQ%2Bp--CTmdwBwRctiYgg%40mail.gmail.com.
