Screwing up...but where (CAS 6.1.5)

[Sven Specker]

Hi!

After stumbling a few more times, I finally got a working setup apart
from a little fly in the ointment. Well, it is more a whale.

I have configured basic LDAP-Authentication and given the following
directives in cas.properties after carefully consulting the docs.

cas.personDirectory.principalAttribute=uid
cas.personDirectory.returnNull=false
cas.personDirectory.principalResolutionFailureFatal=false
cas.personDirectory.useExistingPrincipalId=false
cas.personDirectory.attributeResolutionEnabled=true

as well as

cas.authn.ldap[0].principalAttributeList=givenName,mail,sn,eduPersonPrimaryAffiliation,eduPersonEntitlement,eduPersonScopedAffiliation,employeeType,displayName,memberOf,mailPrimaryAddress,mail,eduPersonPrincipalName,uid


And it works like a breeze until I add an AccessStrategy:


this works:

{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://samltest.id/saml/sp"
"name" : "SAMLtest.id",
"id" : 10000003,
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid",
"canonicalizationMode" : "LOWER"
},
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList",
["uid","mailPrimaryAddress", "sn" , "givenName",
"edupersonScopedAffiliation" ] ]
},
"evaluationOrder" : 10,
"metadataLocation" : "file:///etc/cas/saml/sp-metadata/samltest.xml"
}

This throws an exception telling me :

org.jasig.cas.client.validation.TicketValidationException: No principal
was found in the response from the CAS server.

{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://samltest.id/saml/sp"
"name" : "SAMLtest.id",
"id" : 10000003,
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAttributes": false,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"eduPersonEntitlement" : [ "java.util.HashSet", [
"urn:mace:uni-frankfurt.de:hrz:zoom:access" ] ],
"memberOf" : [ "java.util.HashSet", [
"mywonderfulmemberof"] ]
}
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid",
"canonicalizationMode" : "LOWER"
},
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList",
["uid","mailPrimaryAddress", "sn" , "givenName",
"edupersonScopedAffiliation" ] ]
},
"evaluationOrder" : 10,
"metadataLocation" : "file:///etc/cas/saml/sp-metadata/samltest.xml"
}

Since I have not found much online when it comes to this, I am sure, I
have misconfigured something. And not necessarily in those configs.


Any ideas?

Best regards,

Sven Specker
--
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center ***
*********** UNIX System Administration (Auth/IDM) ****************
***** spe...@rz.uni-frankfurt.de [Phone (+49)-69-798-15188] *****
******************************************************************
__________________________________________________________________
Johann Wolfgang Goethe Universitaet
- Hochschulrechenzentrum -
Theodor W. Adorno-Platz 1 (PA-1P16)

D-60323 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________

[Michael J Barsic]

Sven,

This is a complete guess as I used a Groovy script for my access strategy. 

Try adding eduPersonEntitlement and memberOf to the allowedAttributes in the attributeReleasePolicy.

Good luck,

Mike

---

From: "Sven Specker" <spe...@rz.uni-frankfurt.de>
To: "cas-user" <cas-...@apereo.org>
Sent: Wednesday, April 8, 2020 11:49:09 AM
Subject: [cas-user] Screwing up...but where (CAS 6.1.5)

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22d066df-2e9b-0ea7-fb14-fb95ef615ef3%40rz.uni-frankfurt.de.

[Sven Specker]

On 2020-04-08 21:19, Michael J Barsic wrote:
> Sven,
>
Hi!

> This is a complete guess as I used a Groovy script for my access strategy.


> Try adding eduPersonEntitlement and memberOf to the allowedAttributes in the attributeReleasePolicy.

I tried it but it did not work.

Interestingly enough, I found the problem and it was not so easy to tackle.

Since the files looked fine (and should work), but apparently did not
work, I concluded there must be something wrong with the files. So I
binary diffed them and it turned out that by some voodoo

"canonicalizationMode" : "LOWER"

was

"canonicalizationMode" : "LOWER<someunprintablecrap>"

The editor did not show it. And since I had copied the files from a
template I made, of course, all files had that problem.

That screwed up the entire process (there is no and after really digging
through the stack trace, I found the whining of the username provider.
Should have screened the trace earlier.

Now it runs like a breeze.

Thanks for your help anyway!