Hi there. Simply put, currently CAS server does not support encoding attribute values as nested SAML2XMLObject, just like that nested NameID value as required by eduPersonTargetedID spec.
Best, D. On May 10, 2021 at 11:01:30, Marcin Roman <[email protected]> wrote: > Thanks for your help, but it does not suffice to return persistentId only > in subject (username) section of saml response. > I need also to return eduPersonTargetedID as a separate attribute in the > AttributeStatement section like this: > > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > NameQualifier="https://orcid.org/saml2/sp/1"; > SPNameQualifier="https://orcid.org/saml2/sp/1"; > >bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID> > ... > </saml2:Subject> > ... > <saml2:AttributeStatement> > <saml2:Attribute FriendlyName="eduPersonTargetedID" > Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > NameQualifier="https://sso.umk.pl/idp/shibboleth"; SPNameQualifier=" > https://orcid.org/saml2/sp/1";>bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID> > </saml2:AttributeValue> > </saml2:Attribute> > > The above is required by some services like orcid.org. > I use the following service config: > > { > "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", > "serviceId": "^https://.+$";, > "name": "federation", > "id": 1999, > "evaluationOrder": 1999, > "metadataLocation": " > https://aai.pionier.net.pl/pionierid-edugain-sp-feed.xml";, > "usernameAttributeProvider" : { > "@class" : > "org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider", > > "persistentIdGenerator" : { > "@class" : > "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator", > > "salt" : "abc", > "attribute": "uidNumber" > } > }, > "attributeReleasePolicy": { > "@class": "org.apereo.cas.services.ChainingAttributeReleasePolicy", > "policies": [ "java.util.ArrayList", > [ > { > "@class": > "org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy", > > "salt" : "abc", > "attribute": "uidNumber" > } > ] > ] > } > } > > On Friday, May 7, 2021 at 7:31:56 PM UTC+2 Mike Osterman wrote: > >> Hi there, >> >> I had this issue early on, and it turned out that my service registry was >> not specifying the nameid format as persistent, but rather unspecified, >> which was making it transient. >> >> Here's a snippet from our service config for the requiredNameIdFormat >> and usernameAttributeProvider properties: >> >> "requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0: >> *nameid-format:persistent*", >> "usernameAttributeProvider" : { >> "@class" : >> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> "usernameAttribute" : "eduPersonTargetedID", >> "canonicalizationMode" : "NONE" >> } >> >> -Mike >> >> On Fri, May 7, 2021 at 9:37 AM Marcin Roman <[email protected]> wrote: >> >>> Hi, I could not manage to configure CAS to release eduPersonTargetedID >>> in correct format. >>> According to specs ( >>> https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/) >>> eduPersonTargetedID should look like this: >>> >>> <saml2:Attribute FriendlyName="eduPersonTargetedID" >>> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" >>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> >>> <saml2:AttributeValue> >>> <saml2:NameID >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >>> NameQualifier="https://sso.umk.pl/idp/shibboleth"; SPNameQualifier=" >>> https://orcid.org/saml2/sp/1 >>> ">S1yftf/VIwgXi4bclR5tdXB/VRE=</saml2:NameID> >>> </saml2:AttributeValue> >>> </saml2:Attribute> >>> >>> This the way shibboleth releases it. >>> However CAS releases eduPersonTargetedID in the following way: >>> >>> <saml2:Attribute FriendlyName="eduPersonTargetedID" >>> Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" >>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > >>> <saml2:AttributeValue>aALV+7l7KzaznzhyDsaBNgAdzSI=</saml2:AttributeValue> >>> </saml2:Attribute> >>> >>> Perhaps I misconfigured something? >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b0398bd-6dc8-41c5-89e0-df9cfa3fff00n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b0398bd-6dc8-41c5-89e0-df9cfa3fff00n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKiKb9uWxB8kyoQmVprS3ACZcGH62-%2Bs4EeDyssaaXwVOQ%40mail.gmail.com.
