Yep, I just hit it on 6.0.4
D.
On Friday, 26 July 2019 10:25:33 UTC-4, Josh G wrote:
>
> Attribute Mappings to SAML Identifiers (e.g. urn:oid:2.5.4.42) is broken
> in CAS 6.0.
>
> In CAS 5.2 (and earlier releases of CAS 5.x) it was possible to map an
> attribute to a SAML compatible URI by leveraging the attributeReleasePolicy
> within a service definition.
>
> *A working (CAS 5.2) example is outlined below:*
>
> Here is an snippet of an HJSON entry for a SAML service:
>
> attributeReleasePolicy : {
> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
> allowedAttributes : {
> @class : java.util.TreeMap
> sn : "urn:oid:2.5.4.4"
> givenName : "urn:oid:2.5.4.42"
> displayName : "urn:oid:2.16.840.1.113730.3.1.241"
> eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> sAMAccountName : "urn:oid:1.2.840.113556.1.4.221"
> }
> }
>
> Here is a snippet of a single attribute from a working response (CAS 5.2):
>
> <saml2:Attribute FriendlyName="urn:oid:0.9.2342.19200300.100.1.3"
> Name="urn:oid:0.9.2342.19200300.100.1.3"
> NameFormat=
> "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >
> <saml2:AttributeValue>EMAIL_ADDRESS_HERE</saml2:AttributeValue>
> </saml2:Attribute>
>
> *The FriendlyName / Name values are mapped to the same value in CAS 5.2
> and below, but this was a limitation of CAS at the time which appears to be
> addressed in CAS 6.0.*
>
>
> *The above functionality is not working as expected, nor do any of my
> workarounds seem to work either.*
>
> If the exact attributeReleasePolicy is run in CAS 6.0, it appears to
> mangle the Principal ID of the response; CAS returns the following:
>
> Error: No principal was found in the response from the CAS server.
>
> The dump provided on the CAS login page is available here:
> https://pastebin.com/raw/Ur3Ce5UN
>
> However, if we look through the server logs a bit more the following error
> message appears:
>
> 2019-07-25 17:34:19,491 ERROR [org.jasig.cas.client.util.XmlUtils] - <Element
> or attribute do not match QName production: QName::=(NCName':')?NCName.>
> org.xml.sax.SAXParseException: Element or attribute do not match QName
> production: QName::=(NCName':')?NCName.
>
> It appears that CAS is attempting to validate the attribute mappings in the
> attributeReleasePolicy and is failing on the colon (:).
>
> If I remove the colon and periods from the above attributeReleasePolicy (for
> testing purposes only), the login goes through as expected and the SAML
> response looks as expected (sans the missing colons and periods):
>
> <saml2:Attribute FriendlyName="urnoid25442"
> Name="urnoid25442"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
> >
> <saml2:AttributeValue>FIRST_NAME_HERE</saml2:AttributeValue>
> </saml2:Attribute>
>
>
> I've tried a variety of workarounds for this, but none has been successful
> (same error messages, same behaviors).
>
> The latest attempt involves feeding the released attributes to their
> respective urn:oid values, explicitly stating the urn:oid values are uri
> formatted attributes, and mapping the urn:oid values to their friendly name
> counterparts.
>
> This results in the same error above:
>
> attributeReleasePolicy : {
> @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
> allowedAttributes : {
> @class : java.util.TreeMap
> "urn:oid:2.5.4.4" : "groovy { return attributes['sn'].get(0) }"
> "urn:oid:2.5.4.42" : "groovy { return
> attributes['givenName'].get(0) }"
> "urn:oid:2.16.840.1.113730.3.1.241" : "groovy { return
> attributes['displayName'].get(0) }"
> }
> }
>
> attributeNameFormats : {
> @class : java.util.HashMap
> "urn:oid:2.5.4.4" : uri
> "urn:oid:2.5.4.42" : uri
> "urn:oid:2.16.840.1.113730.3.1.241" : uri
> }
>
> attributeFriendlyNames : {
> @class : java.util.HashMap
> "urn:oid:2.5.4.4" : sn
> "urn:oid:2.5.4.42" : givenName
> "urn:oid:2.16.840.1.113730.3.1.241" : displayName
> }
>
>
> This seems to be a pretty significant bug, unless I am (hopefully!) missing
> something obvious.
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/47cbe440-8fae-4574-ad50-8dd4fe21cbb1%40apereo.org.
