Thank you very much Ray
On first Login, CAS obtains the attributes from the third party SAML IdP,
not from our IdP. As you say, after that, it does’nt try to add new
attributes.
I’ve tried to use the following in SamlRegisteredService’s, but doesn’t
resolve the problem
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalIdAttribute": "id",
"authorizedToReleaseAuthenticationAttributes": true,
"excludeDefaultAttributes": false,
"principalAttributesRepository" : {
"@class" :
"org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository",
"duration" : {
"@class" : "javax.cache.expiry.Duration",
"timeUnit" : [ "java.util.concurrent.TimeUnit", "MILLISECONDS" ],
"expiration" : 100
},
"mergingStrategy" : "ADD"
}
}
The SSO is maintained in our IdP. CAS help us to Trust/Federate/Integrate
with third party Identity & Service Providers by means of standards like
SAML. Remove our IdP is not an option.
May be what I need is exactly the opposite, forgetting the result of the
first SAML SSO Delegation, it would act as if the Trusted Integration is
the first Integration act.
But don’t know how to do it.
Thanks
Jon
El jueves, 8 de julio de 2021 a las 18:49:41 UTC+2, Ray Bon escribió:
> Jon,
>
> You could get all attributes from your IdP and third party IdP on first
> login.
>
> Once cas has established a session (TGC) it no longer attempts to create
> new user attributes.
>
> Two cas servers would mean no sso.
>
> Can you remove your IdP and let cas to its work?
>
> Ray
>
> On Thu, 2021-07-08 at 00:43 -0700, JON wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hi there, here is my challenge
>
> We can work in two SAML integration ways, by means of CAS.5.2 in the same
> instance of CAS over Tomcat.
>
>
>
> - In one way (A), our Identity Provider launches a SSO SAML Request,
> delegating Authentication in CAS. CAS, in turn, delegates Authentication
> to
> a third party SAML Identity Provider. At the end, in the return way, a
> User
> Session in created in our Identity Provider, with diverse Identity
> Attributes.
>
> Our IdP => [in SAML SP role] SSO SAML Request => CAS SAML IdP => [in SAML
> SP role] SSO SAML Request => Third Party SAML IdP
>
>
>
> - In another way (B), CAS receives SSO SAML Requests made by third
> party SAML Service Providers, where CAS delegates authentication in our
> proprietary Trusted Identity Provider (with which, CAS has a Trusted
> Authentication
> defined). In that way, our Identity Provider creates a User Session,
> with diverse Identity Attributes, which returns to CAS, and this
> propagates
> to the third party SAML Service Provider.
>
> Third Party SAML SP => SSO SAML Request => CAS IdP => Trusted Authentication
> => Our Proprietary IdP
>
>
>
> Putting it all together, we have a mixed stage in which:
>
> 1.- User is authenticated by a third party SAML Identity Provider, by
> means of the (A) way
>
> After that, in the next instant
>
> 2.- User accesses a third party SAML Service Provider, trying to obtain
> our Identity Provider’s User Session Identity Attributes in (B) way
>
> Instead, CAS returns, to the third party SAML Service Provider, the User
> Attributes obtained in (A) from the third party SAML Identity Provider.
>
> What we need is to propagate, in (B) way, our Identity Provider’s User
> Session Identity Attributes, obtained at the end of the (A) way flow.
>
>
> I think that separating the two flows in two separate CAS instances, all
> would start to work, but that’s not the challenge.
>
>
> Thanks for your time and interest
>
> Jon
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6761226b-31a8-4235-8928-74ac0467c00bn%40apereo.org.
