David,
I really want to thank for helping me on this.
I've finally managed to retrieve a multiple value attribute, just like
you've said the responsible to release attributes for CAS is the
Authentication Handler. In my case Active Directory. So, what i've done was
create a custom attribute "awsRoles" on Active Directory that supports
multiple values. Then i configured CAS to release the attribute and used my
json like this:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "urn:amazon:webservices",
"name" : "AWS",
"id" : 10000003,
"description" : "SSO AWS",
"signAssertions" : true,
"signResponses" : true,
"metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"awsRoles" : "https://aws.amazon.com/SAML/Attributes/Role";,
"extensionAttribute2" :
"https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
"extensionAttribute3": "SessionDuration"
}
},
"evaluationOrder" : 1125
}
Here is my SAML Response after auth.
<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role";
Name="https://aws.amazon.com/SAML/Attributes/Role";
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<saml2:AttributeValue>arn:aws:iam::account-id:role/role-name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
<saml2:AttributeValue>arn:aws:iam::account-id:role/role_name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
</saml2:Attribute>
I'm sorry to bother you on this but thanks for you for help showing me the
way.
Have a nice weekend
Willian
Em sexta-feira, 16 de novembro de 2018 17:57:40 UTC-2, David Curry escreveu:
>
> Well, I also said we don't do that here, so I don't actually know how to
> do it, just that I think you can. :-)
>
> But seriously, I believe it depends on what you're using for an attribute
> repository. And I'm not sure whether it's going to give you what you want:
>
> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue
> > <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</
> AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
> </AttributeValue> </Attribute>
>
> or if it's going to give you something more like
>
> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
> ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
> </AttributeValue>
> </Attribute>
>
> You might have to write a custom resolver or something (I'm not the one to
> help you with that).
>
> Maybe someone else could weigh in here and give William some better
> information?
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • [email protected] <javascript:>
>
>
> On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales <[email protected]
> <javascript:>> wrote:
>
>> David,
>>
>> What i want is to log in into multiple AWS Accounts using SAML2. I've
>> managed to log into only one account. But to log in into multiple accounts
>> you have to send the response like this:
>>
>> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</
>> AttributeValue> <AttributeValue>ACCOUNT2_
>> AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</AttributeValue> <AttributeValue
>> >ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue> </Attribute>
>>
>> Right now i'm sending only one value in the attributevalue like this
>>
>> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</
>> AttributeValue> </Attribute>
>>
>> I need to send multiple values so i can choose what account i want to log
>> in. You said that there's a way to return a multi-value attribute, can you
>> show me how to return multi-value attribute?
>>
>> Thank You!
>>
>>
>>
>>
>> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry
>> escreveu:
>>>
>>> The "ReturnMappedAttributeReleasePolicy" is not a method for returning
>>> attribute values, it's a method for changing the name of an attribute when
>>> you release it.
>>>
>>> For example, suppose you have an application that wants you to give it
>>> an attribute called "LastName". But your Active Directory, of course, keeps
>>> the last name in an attribute called "sn". So, in the service registry for
>>> that service, you would specify something like this:
>>>
>>> ...
>>> "attributeReleasePolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>> "allowedAttributes" : {
>>> "@class" : "java.util.TreeMap",
>>> "sn" : "LastName",
>>>
>>> "givenName" : "givenName",
>>>
>>> "cn" : "cn",
>>> }
>>> },
>>> ...
>>>
>>>
>>> This says you're going to get the values of the cn, givenName, and sn
>>> values from your attribute repository (Active Directory or whatever), and
>>> send them over to the client. BUT, when you do that, you're going to call
>>> them cn, givenName, and LastName instead. So for me, the client might get
>>> something like:
>>>
>>> cn=curryd, givenName=David, LastName=Curry
>>>
>>>
>>> (in whatever format the protocol it's speaking with the CAS server
>>> provides that information).
>>>
>>> So what you're specifying there, is that you're going to send four
>>> attributes back to AWS: description, extenstionAttribute1,
>>> extensionAttribute2, and extensionAttribute3. But when you send them back,
>>> you're going to call them by those 3 URLs and "SessionDuration". So AWS is
>>> going to get something like:
>>>
>>> https://aws.amazon.com/SAML/Attributes/Role=<some value>,
>>> https://aws.amazon.com/SAML/Attributes/Role=
>>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg><some
>>>
>>> value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName=<some
>>> value>,SessionDuration=<some value>
>>>
>>>
>>> (again, in whatever format the protocol CAS is speaking with AWS
>>> specifies) which, I presume, is not what you want. :-)
>>>
>>> I believe there is a way to release the same attribute value with more
>>> than one name, but I don't use it myself, so I don't know the details of
>>> what version that functionality was added in, or how it's actually
>>> configured.
>>>
>>> --Dave
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • [email protected]
>>>
>>>
>>> On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales <[email protected]>
>>> wrote:
>>>
>>>> David,
>>>>
>>>> I'm using Json Service Registry.
>>>> You're telling me that the responsible for multi-value attributes is
>>>> not the service registry but the repository 'im using? (In my case Active
>>>> Directory).
>>>>
>>>> So, let me show you the example i'm using.
>>>>
>>>> I need to map a multi-value attribute for the attribute "
>>>> https://aws.amazon.com/SAML/Attributes/Role";
>>>>
>>>> Here an example of my JSON.
>>>>
>>>> {
>>>> "@class" :
>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>> "serviceId" : "urn:amazon:webservices",
>>>> "name" : "AWS",
>>>> "id" : 10000003,
>>>> "description" : "CAS AWS",
>>>> "signAssertions" : true,
>>>> "signResponses" : true,
>>>> "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
>>>> "attributeReleasePolicy" : {
>>>> "@class" :
>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>> "allowedAttributes" : {
>>>> "@class" : "java.util.TreeMap",
>>>> "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
>>>> "extensionAttribute1" : "
>>>> https://aws.amazon.com/SAML/Attributes/Role";,
>>>> "extensionAttribute2" : "
>>>> https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
>>>> "extensionAttribute3" : "SessionDuration"
>>>> }
>>>> },
>>>> "evaluationOrder" : 1125
>>>> }
>>>>
>>>>
>>>> What i need is to use the values of "description" and
>>>> "extensionAttribute1" in the same attribute, in this case "
>>>> https://aws.amazon.com/SAML/Attributes/Role";
>>>>
>>>> I've try to use the attribute Repository but still returns only one
>>>> value
>>>>
>>>> Here's my .prop file:
>>>>
>>>> cas.authn.ldap[0].type=AD
>>>> cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
>>>> cas.authn.ldap[0].useSsl=false
>>>> cas.authn.ldap[0].useStartTls=false
>>>> cas.authn.ldap[0].connectTimeout=5000
>>>> cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
>>>> cas.authn.ldap[0].subtreeSearch=true
>>>> cas.authn.ldap[0].searchFilter=sAMAccountName={user}
>>>> cas.authn.ldap[0][email protected]
>>>> cas.authn.ldap[0].bindCredential=Teste@123
>>>> cas.authn.ldap[0].dnFormat=%[email protected]
>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>>>> cas.authn.ldap[0].principalAttributePassword=unicodePwd
>>>>
>>>> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
>>>> cas.authn.ldap[0].failFast=false
>>>> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
>>>> cas.authn.attributeRepository.ldap[0][email protected]
>>>> cas.authn.attributeRepository.ldap[0].bindCredential=********
>>>> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
>>>>
>>>> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>>> cas.authn.attributeRepository.ldap[0].useSsl=false
>>>> cas.authn.attributeRepository.ldap[0].useStartTls=false
>>>> cas.authn.attributeRepository.ldap[0].name=AD
>>>> cas.authn.attributeRepository.expirationTime=30
>>>> cas.authn.attributeRepository.expirationTimeUnit=MINUTES
>>>> cas.authn.attributeRepository.maximumCacheSize=10000
>>>> cas.authn.attributeRepository.merger=MERGE
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
>>>> #
>>>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>>>> # cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>>>>
>>>> Can you help me on this quest.?
>>>>
>>>> I'm from Brazil, so i'm sorry for my English or anything.
>>>>
>>>> Thanks in advice and i've appreciate your help.
>>>>
>>>>
>>>> Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry
>>>> escreveu:
>>>>>
>>>>> Since I'm the only "David" I see in this thread I assume you're asking
>>>>> me... but I'm not sure I understand the question. Where are you putting
>>>>> the
>>>>> JSON that you're expecting CAS to consume it and then spit it out in a
>>>>> SAML
>>>>> response?
>>>>>
>>>>> Normally, CAS will get the attributes from whatever repositories you
>>>>> configure it to use, and take care of putting them into the response
>>>>> itself; you don't have to specify any JSON. As far as I know,
>>>>> multi-valued
>>>>> attributes should work just fine with that.
>>>>>
>>>>> The JSON I provided back earlier in this thread was in a service
>>>>> registry definition to show how to rename attributes, not provide their
>>>>> values.
>>>>>
>>>>> --Dave
>>>>>
>>>>> --
>>>>>
>>>>> DAVID A. CURRY, CISSP
>>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>>
>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>> +1 212 229-5300 x4728 • [email protected]
>>>>>
>>>>>
>>>>> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi David!
>>>>>>
>>>>>> i'm praying that you see my question now because i really need your
>>>>>> help.
>>>>>> I want to thank you because you really helped me showing the .json
>>>>>> configurattion.
>>>>>> But i need some help on this.
>>>>>>
>>>>>> How do i manage to do a multi value attribute on json.
>>>>>> I need the SAML response to be like this
>>>>>>
>>>>>> <Attribute Name="attribute"> <AttributeValue>1</AttributeValue> <
>>>>>> AttributeValue>2</AttributeValue> <AttributeValue>3</AttributeValue>
>>>>>> </Attribute>
>>>>>>
>>>>>> Can you help me on this man?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry
>>>>>> escreveu:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth
>>>>>>> mod_shib/shibd plug-in:
>>>>>>>
>>>>>>> {
>>>>>>> "@class" :
>>>>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>>>> "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
>>>>>>> "name" : "Apache Secured By SAML",
>>>>>>> "id" : 1509030300,
>>>>>>> "description" : "CAS development Apache mod_shib/shibd server with
>>>>>>> username/password protection",
>>>>>>> "metadataLocation" : "
>>>>>>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
>>>>>>> "attributeReleasePolicy" : {
>>>>>>> "@class" :
>>>>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>>>>> "allowedAttributes" : {
>>>>>>> "@class" : "java.util.TreeMap",
>>>>>>> "cn" : "urn:oid:2.5.4.3",
>>>>>>> "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>>>>>> "givenName" : "urn:oid:2.5.4.42",
>>>>>>> "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>>>>>> "role" : "urn:newschool:attribute-def:role",
>>>>>>> "sn" : "urn:oid:2.5.4.4",
>>>>>>> "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>>>>>> "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
>>>>>>> }
>>>>>>> },
>>>>>>> "evaluationOrder" : 1125
>>>>>>> }
>>>>>>>
>>>>>>> But if your SP doesn't care about the funky notation, you can just
>>>>>>> do it the "regular" way... here's a definition for a test SP created
>>>>>>> via
>>>>>>> RSA's free IAMShowcase site (this is a cut-down copy of the entire
>>>>>>> registry
>>>>>>> entry to show the part you're interested in):
>>>>>>>
>>>>>>> {
>>>>>>> "serviceId": "IAMShowcase",
>>>>>>> "name": "RSA SAML Test Service Provider",
>>>>>>> "theme": null,
>>>>>>> "informationUrl": null,
>>>>>>> "privacyUrl": null,
>>>>>>> "id": 1202469081,
>>>>>>> "description": "The URL for the SP that talks to this service is
>>>>>>> https://sptest.iamshowcase.com/ixs?idp=<snip>",
>>>>>>> <span s
>>>>>>>
>>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7f3b7310-1142-406a-88e1-3623e6a15dc1%40apereo.org.
