Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken in
CAS 6.0.
In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an
attribute to a SAML compatible URI by leveraging the attributeReleasePolicy
within a service definition.
*A working (CAS 5.2) example is outlined below:*
Here is an snippet of an HJSON entry for a SAML service:
attributeReleasePolicy : {
@class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes : {
@class : java.util.TreeMap
sn : "urn:oid:2.5.4.4"
givenName : "urn:oid:2.5.4.42"
displayName : "urn:oid:2.16.840.1.113730.3.1.241"
eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
sAMAccountName : "urn:oid:1.2.840.113556.1.4.221"
}
}
Here is a snippet of a single attribute from a working response (CAS 5.2):
<saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat=
"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue>
</saml2:Attribute>
*The FriendlyName / Name values are mapped to the same value in CAS 5.2 and
below, but this was a limitation of CAS at the time which appears to be
addressed in CAS 6.0.*
*The above functionality is not working as expected, nor do any of my
workarounds seem to work either.*
If the exact attributeReleasePolicy is run in CAS 6.0, it appears to mangle
the Principal ID of the response; CAS returns the following:
Error: No principal was found in the response from the CAS server.
The dump provided on the CAS login page is available here:
https://pastebin.com/raw/Ur3Ce5UN
However, if we look through the server logs a bit more the following error
message appears:
2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element
or attribute do not match QName production: QName::=(NCName':')?NCName.>
org.xml.sax.SAXParseException: Element or attribute do not match QName
production: QName::=(NCName':')?NCName.
It appears that CAS is attempting to validate the attribute mappings in the
attributeReleasePolicy and is failing on the colon (:).
If I remove the colon and periods from the above attributeReleasePolicy (for
testing purposes only), the login goes through as expected and the SAML
response looks as expected (sans the missing colons and periods):
<saml2:Attribute FriendlyName="urnoid25442"
Name="urnoid25442"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue>
</saml2:Attribute>
I've tried a variety of workarounds for this, but none has been successful
(same error messages, same behaviors).
The latest attempt involves feeding the released attributes to their respective
urn:oid values, explicitly stating the urn:oid values are uri formatted
attributes, and mapping the urn:oid values to their friendly name counterparts.
This results in the same error above:
attributeReleasePolicy : {
@class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes : {
@class : java.util.TreeMap
"urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }"
"urn:oid:2.5.4.42" : "groovy { return
attributes['givenName'].get(0) }"
"urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return
attributes['displayName'].get(0) }"
}
}
attributeNameFormats : {
@class : java.util.HashMap
"urn:oid:2.5.4.4" : uri
"urn:oid:2.5.4.42" : uri
"urn:oid:2.16.840.1.113730.3.1.241" : uri
}
attributeFriendlyNames : {
@class : java.util.HashMap
"urn:oid:2.5.4.4" : sn
"urn:oid:2.5.4.42" : givenName
"urn:oid:2.16.840.1.113730.3.1.241" : displayName
}
This seems to be a pretty significant bug, unless I am (hopefully!) missing
something obvious.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66165142-21d3-4cfa-9bfb-97d876e7c68d%40apereo.org.
