Follow up, for anyone running into this situation. One of the problems was a
lack of understanding, and the other was a “maybe” configuration error.
Turns out the attribute definitions were working, but they do not show up in
availableAttributes as output by the cas/actuator/discoveryProfile endpoint.
Therefore, they were “invisible” to the cas-management app. Might be an idea
for PR/feature request.
To get the attribute definitions working, under 6.3.X, I ended using the
following method. Use a mapped attribute release policy and reference the
friendlyName defined in the attribute definition.
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
@class: java.util.TreeMap
eduPersonPrincipalName:
[
java.util.ArrayList
[
eduPersonPrincipalName
]
]
}
}
Would also probably work in ReturnAllowedAttributeReleasePolicy,
ReturnAllAttributeReleasePolicy. Just have not tested.
I should mention, in case it is specific to SAML registered services, I
switched the attribute definition to the SamlIdpAttributeDefinition class.
This extends DefaultAttributeDefinition to add two optional attributes urn and
friendlyName. Originally, I was using friendlyName under
DeafultAttributeDefinition which may have been the configuration error.
New /cas/etc/config/attribute.json:
{
@class : java.util.TreeMap
eduPersonPrincipalName : {
@class :
org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition
key : eduPersonPrincipalName
name : eduPersonPrincipalName
urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.6
friendlyName : eduPersonPrincipalName
scoped : true
attribute : uid
}
}
From: [email protected] <[email protected]> On Behalf Of King, Robert
Sent: Wednesday, February 2, 2022 4:51 PM
To: Pablo Vidaurri <[email protected]>; CAS Community <[email protected]>
Subject: [cas-user] RE: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?
Already able to release attributes from authentication source (LDAP). These
attribute definitions are an attempt to add scope to attributes from that
authentication source.
For example using uid from LDAP to define an eduPersonPrincipalName:
{
@class: java.util.TreeMap
eduPersonPrincipalName: {
@class: org.apereo.cas.authentication.attribute.DefaultAttributeDefinition
key: eduPersonPrincipalName
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
friendlyName: eduPersonPrincipalName
scoped: true
attribute: uid
}
My understanding is that this should take the attribute “uid”, from the person
directory, and append the value of cas.server.scope as a domain scope.
uid = user1
cas.server.scope= example.org
Which results in:
[email protected]<mailto:[email protected]>
My experience is that defining
“cas.person-directory.attribute-definition-store.json.location” in the
cas.properties file has no effect and that enabling debugging in CAS does not
identify any errors, or any indicators at all, that this feature is working.
I’m assuming that I’m lacking some configuration or that my understanding of
how this should work is incorrect.
From: Pablo Vidaurri <[email protected]<mailto:[email protected]>>
Sent: Wednesday, February 2, 2022 4:30 PM
To: CAS Community <[email protected]<mailto:[email protected]>>
Cc: King, Robert <[email protected]<mailto:[email protected]>>
Subject: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?
Have you tried this in your cas.properties:
cas.authn.attributeRepository.core.defaultAttributesToRelease=foo,bar,mail,name
the values you provide are comma delimited attributes from you sources such as
ldap, active directory, db, static.
On Wednesday, February 2, 2022 at 9:08:21 AM UTC-6
[email protected]<mailto:[email protected]> wrote:
I am attempting to utilize the attribute definitions feature, and I have hit a
wall.
Reference used:
https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html
Implemented in my cas.properties:
cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json
With the contents of /etc/cas/config/attributes.json:
{
"@class" : "java.util.TreeMap",
"testName" : {
"@class" :
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "testName",
"name" : "testName",
"scoped" : true,
"attribute" : "uid"
}
}
I have turned on the following debug in log4j2.xml:
<AsyncLogger name="org.apereo" level="debug” includeLocation="true"/>
When I start up the CAS server there does not seem to be anything related to
the attribute definitions present. Hitting up the discovery profile actuator
does not list the defined attributes in the “availableAttributes”. There is no
logging in relation to the attribute definitions configuration.
I am aware that we could do custom attributes via return mapped and groovy
inline scripting, but we want something more broadly available to all services
instead of per service entry custom attributes.
Does anyone have any guidance/ideas on how to get attribute definition feature
up and running?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c134b38126724e42b83c155f7e2236d0%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/c134b38126724e42b83c155f7e2236d0%40mun.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5b54463f4de4420d8f6c1d7a1927eb53%40mun.ca.
