To anyone who is familiar with the username (user) value being set by the claims of OIDC in Azure AD Delegation. CAS is setting the username to the subject (sub) claim. This totally trashes the ability to use JDBC attribute resolution like:
2021-07-29 13:47:18,371 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - <Executing prepared SQL query> 2021-07-29 13:47:18,372 DEBUG [org.springframework.jdbc.core.JdbcTemplate] - <Executing prepared SQL statement [SELECT username BANNER_LDAP, udc_id BANNER_UDC_ID, s_id BANNER_SID, banner_id BANNER_OID, dob BANNER_DOB, last4 BANNER_LAST4 FROM idmap WHERE *username = ?*]> 2021-07-29 13:47:18,377 DEBUG [org.springframework.jdbc.datasource.DataSourceUtils] - <Fetching JDBC Connection from DataSource> 2021-07-29 13:47:18,727 TRACE [org.springframework.jdbc.core.StatementCreatorUtils] - <Setting SQL statement parameter value: column index 1, parameter value [ *oASsZI-izB_hpkO3eXXXXXXXXXRqxY6uh6BkvzYNkY*], value class [java.lang.String], SQL type unknown> This is not the username. The UPN and other values look perfect - except this. I cannot find anything in the CAS docs or with Azure AD that allows me to compensate for this. Since the JDBC argument injection is so primitive there is no way for me to adjust and substitute another value at the time this gets invoked for additional attributes. Can anyone shed light on this? Thank you! Bill On Wed, Jul 28, 2021 at 6:52 PM William Jojo <[email protected]> wrote: > Hello, > > I will try to keep this to the point. > > CAS is using the subject claim from AzureAD Delegation upon return from > auth and setting it as the username regardless of the setting of: > > cas.authn.pac4j.oidc[0].azure.principal-attribute-id=email > > I can use email, upn, does not matter, it is always the subject (sub) > claim from AzureAD. Even when I tried generic: > > cas.authn.pac4j.oidc[0].generic.principal-attribute-id=email > > I am getting all the way through the delegation, completing the > authentication, completing the MFA on the account and returning to the app > only to have the username be the subject (sub) claim. > > Even if I set the usernameAttributeProvider it does not change anything. > > Anyone have an idea of what is going on? > > Bill > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1jc1JW1eAU1AffJSmc%3D%3D4COWUJXzZvZP%3DHtyo%2B1uyah5g%40mail.gmail.com.
