Has anyone else experienced this issue? This is holding up our CAS 6.0
deployment.
Additional context, we're running our environment in Docker with the
following dependencies:
compile
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml-idp:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-saml-googleapps:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
compile group: 'net.unicon.iam', name: 'duo-client', version: '0.2.2'
compile "org.apereo.cas:cas-server-support-duo:${casServerVersion}"
CAS Splash
__ ____ _ ____ __
/ / / ___| / \ / ___| \ \
| | | | / _ \ \___ \ | |
| | | |___ / ___ \ ___) | | |
| | \____| /_/ \_\ |____/ | |
\_\ /_/
CAS Version: 6.0.4
CAS Commit Id: 0f37f54d06b9a43523fdecd5bc3a8a0f31c407eb
CAS Build Date/Time: 2019-07-25T19:42:36Z
Spring Boot Version: 2.1.2.RELEASE
Spring Version: 5.1.3.RELEASE
Java Home: /opt/java/openjdk
Java Vendor: AdoptOpenJDK
Java Version: 11.0.3
JVM Free Memory: 148 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 261 MB
JCE Installed: Yes
Node Version: N/A
NPM Version: N/A
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-957.el7.x86_64
OS Date/Time: 2019-07-25T19:43:19.511687
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.20
------------------------------------------------------------
On Friday, July 26, 2019 at 2:25:33 PM UTC, Josh G wrote:
>
> Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken
> in CAS 6.0.
>
> In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an
> attribute to a SAML compatible URI by leveraging the attributeReleasePolicy
> within a service definition.
>
> *A working (CAS 5.2) example is outlined below:*
>
> Here is an snippet of an HJSON entry for a SAML service:
>
> attributeReleasePolicy : {
> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
> allowedAttributes : {
> @class : java.util.TreeMap
> sn : "urn:oid:2.5.4.4"
> givenName : "urn:oid:2.5.4.42"
> displayName : "urn:oid:2.16.840.1.113730.3.1.241"
> eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> sAMAccountName : "urn:oid:1.2.840.113556.1.4.221"
> }
> }
>
> Here is a snippet of a single attribute from a working response (CAS 5.2):
>
> <saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3"
> Name="urn:oid:0.9.2342.19200300.100.1.3"
> NameFormat=
> "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >
> <saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue>
> </saml2:Attribute>
>
> *The FriendlyName / Name values are mapped to the same value in CAS 5.2
> and below, but this was a limitation of CAS at the time which appears to be
> addressed in CAS 6.0.*
>
>
> *The above functionality is not working as expected, nor do any of my
> workarounds seem to work either.*
>
> If the exact attributeReleasePolicy is run in CAS 6.0, it appears to
> mangle the Principal ID of the response; CAS returns the following:
>
> Error: No principal was found in the response from the CAS server.
>
> The dump provided on the CAS login page is available here:
> https://pastebin.com/raw/Ur3Ce5UN
>
> However, if we look through the server logs a bit more the following error
> message appears:
>
> 2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element
> or attribute do not match QName production: QName::=(NCName':')?NCName.>
> org.xml.sax.SAXParseException: Element or attribute do not match QName
> production: QName::=(NCName':')?NCName.
>
> It appears that CAS is attempting to validate the attribute mappings in the
> attributeReleasePolicy and is failing on the colon (:).
>
> If I remove the colon and periods from the above attributeReleasePolicy (for
> testing purposes only), the login goes through as expected and the SAML
> response looks as expected (sans the missing colons and periods):
>
> <saml2:Attribute FriendlyName="urnoid25442"
> Name="urnoid25442"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >
> <saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue>
> </saml2:Attribute>
>
>
> I've tried a variety of workarounds for this, but none has been successful
> (same error messages, same behaviors).
>
> The latest attempt involves feeding the released attributes to their
> respective urn:oid values, explicitly stating the urn:oid values are uri
> formatted attributes, and mapping the urn:oid values to their friendly name
> counterparts.
>
> This results in the same error above:
>
> attributeReleasePolicy : {
> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
> allowedAttributes : {
> @class : java.util.TreeMap
> "urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }"
> "urn:oid:2.5.4.42" : "groovy { return
> attributes['givenName'].get(0) }"
> "urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return
> attributes['displayName'].get(0) }"
> }
> }
>
> attributeNameFormats : {
> @class : java.util.HashMap
> "urn:oid:2.5.4.4" : uri
> "urn:oid:2.5.4.42" : uri
> "urn:oid:2.16.840.1.113730.3.1.241" : uri
> }
>
> attributeFriendlyNames : {
> @class : java.util.HashMap
> "urn:oid:2.5.4.4" : sn
> "urn:oid:2.5.4.42" : givenName
> "urn:oid:2.16.840.1.113730.3.1.241" : displayName
> }
>
>
> This seems to be a pretty significant bug, unless I am (hopefully!) missing
> something obvious.
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d468c44-ea0d-4c9c-94e1-e288a13d3b8b%40apereo.org.
