Thanks for your help, but it does not suffice to return persistentId only
in subject (username) section of saml response.
I need also to return eduPersonTargetedID as a separate attribute in the
AttributeStatement section like this:
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://orcid.org/saml2/sp/1";
SPNameQualifier="https://orcid.org/saml2/sp/1";
>bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID>
...
</saml2:Subject>
...
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://sso.umk.pl/idp/shibboleth"; SPNameQualifier="
https://orcid.org/saml2/sp/1";>bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID>
</saml2:AttributeValue>
</saml2:Attribute>
The above is required by some services like orcid.org.
I use the following service config:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "^https://.+$";,
"name": "federation",
"id": 1999,
"evaluationOrder": 1999,
"metadataLocation":
"https://aai.pionier.net.pl/pionierid-edugain-sp-feed.xml";,
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider",
"persistentIdGenerator" : {
"@class" :
"org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
"salt" : "abc",
"attribute": "uidNumber"
}
},
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ChainingAttributeReleasePolicy",
"policies": [ "java.util.ArrayList",
[
{
"@class":
"org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy",
"salt" : "abc",
"attribute": "uidNumber"
}
]
]
}
}
On Friday, May 7, 2021 at 7:31:56 PM UTC+2 Mike Osterman wrote:
> Hi there,
>
> I had this issue early on, and it turned out that my service registry was
> not specifying the nameid format as persistent, but rather unspecified,
> which was making it transient.
>
> Here's a snippet from our service config for the requiredNameIdFormat
> and usernameAttributeProvider properties:
>
> "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:
> *nameid-format:persistent*",
> "usernameAttributeProvider" : {
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
> "usernameAttribute" : "eduPersonTargetedID",
> "canonicalizationMode" : "NONE"
> }
>
> -Mike
>
> On Fri, May 7, 2021 at 9:37 AM Marcin Roman <[email protected]> wrote:
>
>> Hi, I could not manage to configure CAS to release eduPersonTargetedID in
>> correct format.
>> According to specs (
>> https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/)
>> eduPersonTargetedID should look like this:
>>
>> <saml2:Attribute FriendlyName="eduPersonTargetedID"
>> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>
>> <saml2:NameID
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>> NameQualifier="https://sso.umk.pl/idp/shibboleth"; SPNameQualifier="
>> https://orcid.org/saml2/sp/1";>S1yftf/VIwgXi4bclR5tdXB/VRE=</saml2:NameID>
>> </saml2:AttributeValue>
>> </saml2:Attribute>
>>
>> This the way shibboleth releases it.
>> However CAS releases eduPersonTargetedID in the following way:
>>
>> <saml2:Attribute FriendlyName="eduPersonTargetedID"
>> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" >
>> <saml2:AttributeValue>aALV+7l7KzaznzhyDsaBNgAdzSI=</saml2:AttributeValue>
>> </saml2:Attribute>
>>
>> Perhaps I misconfigured something?
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b0398bd-6dc8-41c5-89e0-df9cfa3fff00n%40apereo.org.
