If I'm understanding you correctly, I've never done it that way. You are saying that you have an attribute already setup called sAMAccountName right? And you want to release it to this system as domain\sAMAcountName as userID?
I've always done such a thing via Groovy attribute return with simple concatenation. https://apereo.github.io/cas/6.3.x/integration/Attribute-Release-Policies.html#inline-groovy-attributes On Mon, 2021-03-22 at 09:04 -0700, Bartosz Nitkiewicz wrote: This is of course not "patternFormat": "domail\\{0}", but "patternFormat": "domain\\{0}", poniedziałek, 22 marca 2021 o 17:03:03 UTC+1 Bartosz Nitkiewicz napisał(a): I'm still trying to use CAS as SAML authenticator for my service desk plus app. Username has to be in format: domain\user I want use my LDAP sAMAccountName as user but I don't know how to prepare regexp to domain\sAMAccountName. I have read https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html and prepare attribute-defns.json { "@class" : "java.util.TreeMap", "userID" : { "@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition", "key" : "userID", "friendlyName" : "userID", "patternFormat": "domail\\{0}", "attribute" : "sAMAccountName" } } I load it in my cas.properties ... cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attribute-defns.json ... Here is my SAML app JSON file. { @class: org.apereo.cas.support.saml.services.SamlRegisteredService serviceId: fashdfk3289_duhfdsf name: serwis id: 1616411747419 proxyTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy } serviceTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy } evaluationOrder: 2 attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy principalIdAttribute: userID allowedAttributes: [ java.util.ArrayList [ userID ] ] } metadataLocation: file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml requiredNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified signAssertions: true signingCredentialType: X509 } Can anyone tell me if I'm right. piątek, 19 marca 2021 o 18:45:20 UTC+1 Bartosz Nitkiewicz napisał(a): Ok, so https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html#pattern-formats would be ok. How to setup CAS to pass desire attribute? I have this in my app.json. Is it ok? { @class: org.apereo.cas.support.saml.services.SamlRegisteredService serviceId: MExxx_05efd170-38cd-4893-9631-6891575asa197 name: serwis id: 1616175519923 proxyTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy } serviceTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy } evaluationOrder: 2 usernameAttributeProvider: { @class: org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider usernameAttribute: sAMAccountName } attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy excludeDefaultAttributes: true authorizedToReleaseAuthenticationAttributes: false } metadataLocation: file://etc/cas-mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml requiredNameIdFormat: org.opensaml.saml.saml2.metadata.impl.NameIDFormatImpl@2afbaa5 signAssertions: true signingCredentialType: X509 } piątek, 19 marca 2021 o 16:30:44 UTC+1 Ray Bon napisał(a): Bartosz, See, https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html, for modifying attributes. Ray On Fri, 2021-03-19 at 01:47 -0700, Bartosz Nitkiewicz wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. One more thing. How to change LDAP user name form sAMAccountName to univ\sAMAccountName. Is it possible? czwartek, 18 marca 2021 o 14:05:48 UTC+1 Bartosz Nitkiewicz napisał(a): Thank You once again. As you said, SAML profiles did the trick.It seems to work fine. Now I have to pass user name from my LDAP to SAML SP. First I need to figure out proper value for authorization. Regards BN środa, 17 marca 2021 o 19:07:26 UTC+1 richard.frovarp napisał(a): The IdP automatically generates metadata. And the correct endpoints are listed on this page, including the metadata endpoint: https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html Usually with SAML you provide the SP with a copy of your metadata, ideally loaded from the URL automatically. If you need to provide separate URLs to the SP, you'll find the correct ones in the metadata and/or using the paths from documentation. On Wed, 2021-03-17 at 10:26 -0700, Bartosz Nitkiewicz wrote: > Hi, > Thanks for reply. > What do you mean your IdP generated metadata? > > I did something like this as they recommended: > https://help.servicedeskplus.com/saml-authentication$configuration > > As loginURL I've provided my https://myserver.org/cas/idp, I don't > know if it is correct url? > I'm wondering what is Assertion Consumer URL and where should I place > it? > > Also I've uploaded my certificate. > > my cas.properties for SAML looks like this: > > ## SAML2 ## > > cas.authn.saml-idp.entity-id: ${cas.server.prefix}/idp > cas.authn.saml-idp.metadata.location=file:/etc/cas/saml > > and service registry for app: > > { > @class: org.apereo.cas.support.saml.services.SamlRegisteredService > serviceId: MExx_6d2ea86d-b4e1-4473-8d4b-7a1378964e8b > name: serwisapp > id: 1615981648113 > proxyTicketExpirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpiration > Policy > } > serviceTicketExpirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirati > onPolicy > } > evaluationOrder: 2 > attributeReleasePolicy: > { > @class: > org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy > excludeDefaultAttributes: true > authorizedToReleaseAuthenticationAttributes: false > } > metadataLocation: file://etc/cas- > mgmt/metadata/174faaa56d5138f63770fb792b1a35e26d5486e0.xml <- (this > is correct as cas-managment app create this directory) > requiredAuthenticationContextClass: > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST > requiredNameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid- > format:transient > nameIdQualifier: "" > signAssertions: true > signingCredentialType: X509 > assertionAudiences: https://servicedeskplus.com/SamlResponseServlet > } > > Regards, > BN > > środa, 17 marca 2021 o 16:49:11 UTC+1 richard.frovarp napisał(a): > > Did you provide the app your IdP generated metadata or provide the > > SP with the information in a different method? As that's the wrong > > end point for the SP to be sending you to: > > > > https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html > > > > On Wed, 2021-03-17 at 06:21 -0700, Bartosz Nitkiewicz wrote: > > > Hi, > > > Another day another CAS problem :) > > > I'm trying to authenticate > > > servicedeskplus.com<http://servicedeskplus.com> application > > > through SAML protocol. > > > I've compiled in cas-server-support-saml-idp in my CAS app. > > > Added service registry in CAS-Management app. I used xml file > > > form servicedesk. > > > > > > Everything seems to work but if I want to authenticate > > > serivcedesk it redirects me to this: > > > > > > https://myserver.org/cas/idp?SAMLRequest=fZJfb5swFMWf10%2BBeDdgCCFYSaS02bRI7YaSbA97qRz70loCm%2FmadNunn01XtdWkvB6f3%2F1zrpfI%2B25gm9E96j38HAFddBX96juNbHpaxaPVzHBUyDTvAZkT7LC5u2V5krHBGmeE6eJ30GWGI4J1yugA7bar%2BO7j%2FYwLSSWn5NSWOZnRuiQLkUsyP0EhOM9o3s6D%2FTtY9OQq9oUmHHGEnUbHtfNillOSFYRWR1owmrGy%2BhFcjTVnJcF%2B8bOEds9k4wdRZy%2B0vEMIWrT16yvN3dTi0bkBWZo6LwqOySj%2BQKcVT8anPgE5JkOXej1VcvjXZIriWmmp9MPlDE7PJmSfj8eGNF8Px1Bi85LMjdE49mAPYM9KwLf97es43vKk8O0QBx%2F5HnDwEASiAxevr6IPy3ALNkVk1z7krIRW0iojxUJIMlvUBannBSXzRU3LquSc1tUyfQu9FBlYiG63bUynxO%2Fok7E9d5c3DIqSpJ2sbAh3QwfaxVE6lU3%2F%2F3jrvw%3D%3D > > > > > > service.xlm as attachement (without real cert) > > > > > > Please help me. > > > > > > > > > -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected] I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7917de20e202244c6d04291074f856b0e2c983b7.camel%40ndsu.edu.
