Delegated authentication attribute resolution
94 views
Skip to first unread message
Aaron Chantrill
Aug 31, 2023, 1:05:51 AM8/31/23
to CAS Community
I'm trying to use a specific attribute repository after authenticating with Azure AD as a delegate identity provider.
Authenticating with Azure AD works fine and I can see the attributes, but really I just want to use the samaccountname attribute to retrieve attributes from a database.
Previously I had both LDAP and JDBC identity providers (for different types of users) and both of them used the only attribute repository I had defined, but it seems like delegate identity providers like to use their own attributes.
Is there some way to force CAS to append attributes from a different attribute provider after authenticating with a delegate identity provider?
Thank you!
Thank you!
Ray Bon
Aug 31, 2023, 11:54:26 AM8/31/23
to cas-...@apereo.org
Aaron,
Do you have the attribute repository defined with:
cas.authn.attribute-repository. ... properties?
Ray
On Wed, 2023-08-30 at 13:04 -0700, Aaron Chantrill wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Aaron Chantrill
Aug 31, 2023, 3:53:54 PM8/31/23
to CAS Community, Ray Bon
Yes, the attribute repository is cas.authn.attribute-repository.jdbc[0]
It works fine with my cas.authn.ldap[0] and cas.authn.jdbc.search[0] authentication services, but seems to get skipped when I use the cas.authn.pac4j.oidc[0].azure authentication service. The attributes I get back are the ones defined in my Azure AD application.
Thank you! (I hope I'm not spamming you, I just replied a few minutes ago but now I can't find it...)
Aaron Chantrill
Aug 31, 2023, 3:53:55 PM8/31/23
to CAS Community, Ray Bon
Thank you for looking. Yes, the attributes are defined under cas.authn.attribute-repository.jdbc[0]... and as long as I use one of the two non-delegated authentication methods (jdbc or ldap) the properties come through fine. If I use the Azure AD authentication method, though, the only attributes I see are the ones defined for my Azure AD application id.
It looks like when I used the cas.authn.pac4j.oidc[0].azure authentication service, CAS just automatically grabs the attributes from that service, then skips any other attributes repositories I have defined. This surprises me since the LDAP and JDBC authentication service both used my one defined attribute repository fine.
Thank you!
On Thursday, August 31, 2023 at 11:54:26 AM UTC-4 Ray Bon wrote:
Ray Bon
Aug 31, 2023, 9:06:51 PM8/31/23
to ach...@wgu.edu, cas-...@apereo.org
Aaron,
Do you also have an attribute list for the authn definition? like:
cas.authn.ldap[0].principalAttributeList=cn,sn,...
If so, your attributes may be coming from attribute list instead of attribute-repository. Check you repository settings (and maybe comment out attribute list).
Cas can get attributes at time of authentication (at least for ldap, we do not use another source). attribute-repository is searched after authentication (requires another call to the remote service).
Ray
Aaron Chantrill
Sep 1, 2023, 10:10:16 AM9/1/23
to cas-...@apereo.org
Thank you again for looking. No, I don't have a principleAttributeList defined for any of my three identity providers.
I also tried setting:
cas.personDirectory.attributeResolutionEnabled: true
cas.personDirectory.activeAttributeRepositoryIds: JDBCAttributeRepository
where JDBCAttributeRepository matches the value given to
cas.authn.attribute-repository.jdbc[0].id
to try and force the attribute resolution regardless of which source I used for authentication, but it didn't seem to have any effect, and I really can't tell from the descriptions what these settings are intended to be used for.
One difference is that I am using cas.authn.pac4j.core.discovery-selection.selection-type: MENU so I am choosing AzureAD by pressing a button from a list on the side of the CAS login form rather than simply typing my username and password into the form directly, but since it still seems to use the same mechanism for resolving the attributes I'm not sure why that would make a difference.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/fqn5VHxpTxQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6255a9893029e2f37f3ab470671aed7fcd7a0c3.camel%40uvic.ca.
--
Reply all
Reply to author
Forward
0 new messages