CAS attribute release consent will be reset if the server restarted

[Dewi Suci Rafianti]

I have configured CAS server v6.3.2 to ask user about attribute release consent. The consent is succeccfully saved in LDAP using description attribute. When a user access the same application for the second time, user won't be asked the same consent again. But, when the CAS server is restarted, user will be asked the consent again. It's as if the consent will be reset when the server is restarted. Is it the right flow? Why CAS server is not use consent that is already saved in LDAP server?

Here is my cas.properties

cas.consent.ldap.ldap-url=ldap://localhost:389 cas.consent.ldap.ldapUrl=ldap://localhost:389 cas.consent.ldap.baseDn=dc=example,dc=org cas.consent.ldap.searchFilter=cn={user} cas.consent.ldap.bindDn=cn=admin,dc=example,dc=org cas.consent.ldap.bindCredential=admin cas.consent.ldap.consentAttributeName=description

JSON service registry

{ 

 "@class": "org.apereo.cas.services.RegexRegisteredService",

 "serviceId": "^(https|http)://.*", 

 "name": "ApplicationName", 

 "id": 1001, 

 "evaluationOrder": 10, 

 "attributeReleasePolicy": { 

   "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", 

   "allowedAttributes": [ "java.util.ArrayList", [ "cn", "mail", "sn", "description", "telephoneNumber", "postalCode" ] ], 

 "consentPolicy": { 

    "@class": "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy", 

    "includeOnlyAttributes": ["java.util.LinkedHashSet", ["description", "telephoneNumber"]], "enabled": true } } }

And I already add dependency in build.gradle

implementation "org.apereo.cas:cas-server-support-consent-webflow:${casServerVersion}" 

implementation "org.apereo.cas:cas-server-support-consent-ldap:${casServerVersion}"

[Ray Bon]

Dewi,

Have you verified that the record was added to LDAP, is in the correct path and identified by the {user}?

If you change the attributes stored for a service (with and without restarting server), does the record update?

Check your ldap and cas (ldaptive) logs.

Ray

On Mon, 2021-03-08 at 18:43 -0800, Dewi Suci Rafianti wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Dewi Suci Rafianti]

Thank you for your answer.

I've found the reason. It's because of encrytion. If I dont define private and public key, CAS will generate it automatically. And when cas server is restarted, the key will be generated again. So the consent that is saved in LDAP can't be decrypt by CAS.