Well, I also said we don't do that here, so I don't actually know how to do it, just that I think you can. :-)
But seriously, I believe it depends on what you're using for an attribute repository. And I'm not sure whether it's going to give you what you want: <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg> "> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue> </Attribute> or if it's going to give you something more like <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg> "> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM, ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM </AttributeValue> </Attribute> You might have to write a custom resolver or something (I'm not the one to help you with that). Maybe someone else could weigh in here and give William some better information? --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales <[email protected]> wrote: > David, > > What i want is to log in into multiple AWS Accounts using SAML2. I've > managed to log into only one account. But to log in into multiple accounts > you have to send the response like this: > > <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role > <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg> > "> > <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue > > <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</ > AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM > </AttributeValue> </Attribute> > > Right now i'm sending only one value in the attributevalue like this > > <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role > <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg> > "> > <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue > > </Attribute> > > I need to send multiple values so i can choose what account i want to log > in. You said that there's a way to return a multi-value attribute, can you > show me how to return multi-value attribute? > > Thank You! > > > > > Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry > escreveu: >> >> The "ReturnMappedAttributeReleasePolicy" is not a method for returning >> attribute values, it's a method for changing the name of an attribute when >> you release it. >> >> For example, suppose you have an application that wants you to give it an >> attribute called "LastName". But your Active Directory, of course, keeps >> the last name in an attribute called "sn". So, in the service registry for >> that service, you would specify something like this: >> >> ... >> "attributeReleasePolicy" : { >> "@class" : >> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", >> "allowedAttributes" : { >> "@class" : "java.util.TreeMap", >> "sn" : "LastName", >> >> "givenName" : "givenName", >> >> "cn" : "cn", >> } >> }, >> ... >> >> >> This says you're going to get the values of the cn, givenName, and sn >> values from your attribute repository (Active Directory or whatever), and >> send them over to the client. BUT, when you do that, you're going to call >> them cn, givenName, and LastName instead. So for me, the client might get >> something like: >> >> cn=curryd, givenName=David, LastName=Curry >> >> >> (in whatever format the protocol it's speaking with the CAS server >> provides that information). >> >> So what you're specifying there, is that you're going to send four >> attributes back to AWS: description, extenstionAttribute1, >> extensionAttribute2, and extensionAttribute3. But when you send them back, >> you're going to call them by those 3 URLs and "SessionDuration". So AWS is >> going to get something like: >> >> https://aws.amazon.com/SAML/Attributes/Role=<some value>, >> https://aws.amazon.com/SAML/Attributes/Role= >> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg><some >> value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName=<some >> value>,SessionDuration=<some value> >> >> >> (again, in whatever format the protocol CAS is speaking with AWS >> specifies) which, I presume, is not what you want. :-) >> >> I believe there is a way to release the same attribute value with more >> than one name, but I don't use it myself, so I don't know the details of >> what version that functionality was added in, or how it's actually >> configured. >> >> --Dave >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> THE NEW SCHOOL • INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • [email protected] >> >> >> On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales <[email protected]> >> wrote: >> >>> David, >>> >>> I'm using Json Service Registry. >>> You're telling me that the responsible for multi-value attributes is not >>> the service registry but the repository 'im using? (In my case Active >>> Directory). >>> >>> So, let me show you the example i'm using. >>> >>> I need to map a multi-value attribute for the attribute " >>> https://aws.amazon.com/SAML/Attributes/Role"; >>> >>> Here an example of my JSON. >>> >>> { >>> "@class" : >>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>> "serviceId" : "urn:amazon:webservices", >>> "name" : "AWS", >>> "id" : 10000003, >>> "description" : "CAS AWS", >>> "signAssertions" : true, >>> "signResponses" : true, >>> "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml", >>> "attributeReleasePolicy" : { >>> "@class" : >>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", >>> "allowedAttributes" : { >>> "@class" : "java.util.TreeMap", >>> "description" : "https://aws.amazon.com/SAML/Attributes/Role";, >>> "extensionAttribute1" : " >>> https://aws.amazon.com/SAML/Attributes/Role";, >>> "extensionAttribute2" : " >>> https://aws.amazon.com/SAML/Attributes/RoleSessionName";, >>> "extensionAttribute3" : "SessionDuration" >>> } >>> }, >>> "evaluationOrder" : 1125 >>> } >>> >>> >>> What i need is to use the values of "description" and >>> "extensionAttribute1" in the same attribute, in this case " >>> https://aws.amazon.com/SAML/Attributes/Role"; >>> >>> I've try to use the attribute Repository but still returns only one value >>> >>> Here's my .prop file: >>> >>> cas.authn.ldap[0].type=AD >>> cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/ >>> cas.authn.ldap[0].useSsl=false >>> cas.authn.ldap[0].useStartTls=false >>> cas.authn.ldap[0].connectTimeout=5000 >>> cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br >>> cas.authn.ldap[0].subtreeSearch=true >>> cas.authn.ldap[0].searchFilter=sAMAccountName={user} >>> cas.authn.ldap[0][email protected] >>> cas.authn.ldap[0].bindCredential=Teste@123 >>> cas.authn.ldap[0].dnFormat=%[email protected] >>> cas.authn.ldap[0].principalAttributeId=sAMAccountName >>> cas.authn.ldap[0].principalAttributePassword=unicodePwd >>> >>> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3 >>> cas.authn.ldap[0].failFast=false >>> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/ >>> cas.authn.attributeRepository.ldap[0][email protected] >>> cas.authn.attributeRepository.ldap[0].bindCredential=******** >>> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND >>> >>> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider >>> cas.authn.attributeRepository.ldap[0].useSsl=false >>> cas.authn.attributeRepository.ldap[0].useStartTls=false >>> cas.authn.attributeRepository.ldap[0].name=AD >>> cas.authn.attributeRepository.expirationTime=30 >>> cas.authn.attributeRepository.expirationTimeUnit=MINUTES >>> cas.authn.attributeRepository.maximumCacheSize=10000 >>> cas.authn.attributeRepository.merger=MERGE >>> >>> cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1 >>> # >>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName >>> # cas.authn.attributeRepository.ldap[0].attributes.cn=commonName >>> >>> Can you help me on this quest.? >>> >>> I'm from Brazil, so i'm sorry for my English or anything. >>> >>> Thanks in advice and i've appreciate your help. >>> >>> >>> Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry >>> escreveu: >>>> >>>> Since I'm the only "David" I see in this thread I assume you're asking >>>> me... but I'm not sure I understand the question. Where are you putting the >>>> JSON that you're expecting CAS to consume it and then spit it out in a SAML >>>> response? >>>> >>>> Normally, CAS will get the attributes from whatever repositories you >>>> configure it to use, and take care of putting them into the response >>>> itself; you don't have to specify any JSON. As far as I know, multi-valued >>>> attributes should work just fine with that. >>>> >>>> The JSON I provided back earlier in this thread was in a service >>>> registry definition to show how to rename attributes, not provide their >>>> values. >>>> >>>> --Dave >>>> >>>> -- >>>> >>>> DAVID A. CURRY, CISSP >>>> *DIRECTOR OF INFORMATION SECURITY* >>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>>> >>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>> +1 212 229-5300 x4728 • [email protected] >>>> >>>> >>>> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales <[email protected]> >>>> wrote: >>>> >>>>> Hi David! >>>>> >>>>> i'm praying that you see my question now because i really need your >>>>> help. >>>>> I want to thank you because you really helped me showing the .json >>>>> configurattion. >>>>> But i need some help on this. >>>>> >>>>> How do i manage to do a multi value attribute on json. >>>>> I need the SAML response to be like this >>>>> >>>>> <Attribute Name="attribute"> <AttributeValue>1</AttributeValue> < >>>>> AttributeValue>2</AttributeValue> <AttributeValue>3</AttributeValue> >>>>> </Attribute> >>>>> >>>>> Can you help me on this man? >>>>> >>>>> Regards >>>>> >>>>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry >>>>> escreveu: >>>>>> >>>>>> >>>>>> >>>>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth >>>>>> mod_shib/shibd plug-in: >>>>>> >>>>>> { >>>>>> "@class" : >>>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>>>> "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";, >>>>>> "name" : "Apache Secured By SAML", >>>>>> "id" : 1509030300, >>>>>> "description" : "CAS development Apache mod_shib/shibd server with >>>>>> username/password protection", >>>>>> "metadataLocation" : " >>>>>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";, >>>>>> "attributeReleasePolicy" : { >>>>>> "@class" : >>>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", >>>>>> "allowedAttributes" : { >>>>>> "@class" : "java.util.TreeMap", >>>>>> "cn" : "urn:oid:2.5.4.3", >>>>>> "displayName" : "urn:oid:2.16.840.1.113730.3.1.241", >>>>>> "givenName" : "urn:oid:2.5.4.42", >>>>>> "mail" : "urn:oid:0.9.2342.19200300.100.1.3", >>>>>> "role" : "urn:newschool:attribute-def:role", >>>>>> "sn" : "urn:oid:2.5.4.4", >>>>>> "uid" : "urn:oid:0.9.2342.19200300.100.1.1", >>>>>> "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER" >>>>>> } >>>>>> }, >>>>>> "evaluationOrder" : 1125 >>>>>> } >>>>>> >>>>>> But if your SP doesn't care about the funky notation, you can just do >>>>>> it the "regular" way... here's a definition for a test SP created via >>>>>> RSA's >>>>>> free IAMShowcase site (this is a cut-down copy of the entire registry >>>>>> entry >>>>>> to show the part you're interested in): >>>>>> >>>>>> { >>>>>> "serviceId": "IAMShowcase", >>>>>> "name": "RSA SAML Test Service Provider", >>>>>> "theme": null, >>>>>> "informationUrl": null, >>>>>> "privacyUrl": null, >>>>>> "id": 1202469081, >>>>>> "description": "The URL for the SP that talks to this service is >>>>>> https://sptest.iamshowcase.com/ixs?idp=<snip>", >>>>>> "evaluationOrder": -1, >>>>>> "attributeReleasePolicy": { >>>>>> "@class": >>>>>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", >>>>>> "allowedAttributes": [ >>>>>> "displayName", >>>>>> "givenName", >>>>>> "sn", >>>>>> "uid" >>>>>> ] >>>>>> } >>>>>> } >>>>>> >>>>>> >>>>>> --Dave >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> DAVID A. CURRY, CISSP >>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>> INFORMATION TECHNOLOGY >>>>>> >>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>> +1 212 229-5300 x4728 • [email protected] >>>>>> >>>>>> [image: The New School] >>>>>> >>>>>> On Wed, May 16, 2018 at 9:07 AM, John D Giotta <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Do you have an example of this? >>>>>>> >>>>>>> -- >>>>>>> - Website: https://apereo.github.io/cas >>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cef00c55-1c57-49a2-a3b9-0de76dcbfcd1%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/cef00c55-1c57-49a2-a3b9-0de76dcbfcd1%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/538f75ff-5130-4cdf-8858-211fa6ae4214%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/538f75ff-5130-4cdf-8858-211fa6ae4214%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOXAMQ5oXjnSeo5HkYfGCcPkYgoJZd-hZFgbFC9skBxTA%40mail.gmail.com.
