making an extra LDAP attribute visible via CAS

[charlie derr]

Greetings,
   We are new to CAS, but have managed to successfully get 5.1 working
with our LDAP directory on the back end. Apologies if this is a FAQ, but
I've looked around the web for the answer and only found instructions on
how to do this with 4.x (and earlier) CAS installs.
   We have a need to expose the LDAP attribute employeeNumber (it's
present directly on each user's entry) as UDC_IDENTIFIER to the
application using CAS (Self-Service Banner). Any pointers or links to
documentation on how to correctly and securely accomplish this will very
much be appreciated.

       thanks ever so much,
           ~c

--
Charlie Derr
Director of Instructional Technology
Bard College at Simon's Rock
413-528-7344

[David Curry]

Short answer:

cas.authn.attributeRepository.ldap[0].attributes.employeeNumber:     UDC_IDENTIFIER

The last element of the property name is the name of the attribute in the directory, the value of the property is the name you want to give it when it's released to applications. The above assumes you've set up attribute resolution properties already. If you haven't, see the CAS documentation: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#authentication-attributes

Note that the above method does the renaming at attribute resolution time, not attribute release time -- in other words, every application that you release this attribute to will get an attribute called "UDC_IDENTIFIER", because that's what it's called by the time you get to the attribute release rules. If you would rather have only certain applications see it as UDC_IDENTIFIER (say, the Ellucian apps) and have the others continue to see it as "employeeNumber", then you should do the renaming at attribute release time in the service definition, like this: https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#return-mapped

Personally, although I had been going down the road of doing the renaming at attribute resolution time, I have recently been rethinking this and am now leaning towards doing it at attribute release time. When we first installed CAS 3.5, one of the first applications that we CAS-ified forced us into some really stupid attribute names (including one that breaks the rules by including a space in the name) that nothing from any other vendor expects. With CAS 5's more flexible attribute release capabilities, I'm thinking it's time to clean this up and use standard (or more standard, anyway) names for everything that supports them, and limit the weird names to the one or two applications that want them.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73f5132e-8feb-31d6-b376-29d57c23635f%40simons-rock.edu.

[Brian Gibson]

We are working towards this as well but do not have it in place yet. I think it will be a two step process. Inside the C:\etc\cas\config\cas.properties files in the LDAP section you need to tell it what attributes from LDAP you want to pull....

cas.authn.ldap[0].principalAttributeList=sn,cn,mail,displayname,givenName,sAMAccountName,employeeType,employeeNumber

Then, inside the .json file that denotes the service entry for Self Service Banner you would map the employeeNumber LDAP attribute to UDC_IDENTIFIER for when you send the info out.... here is (what I believe to be) a valid .json file, in our case located in  C:\etc\cas\services\service_entry_4_475674893038.json with the UDC_IDENTIFIER line bolded

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://bss.wheatonma.edu/.*",
  "name" : "BannerSelfService",
  "id" : 475674893038,
  "description" : "Service entry to Banner SSO",

  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sn" : "sn",
      "cn" : "cn",
      "mail" : "EmailAddress",
      "displayname" : "FullName"
      "employeeNumber" : "UDC_IDENTIFIER"
      "employeeType" : "affiliation"
    }
  },

  "evaluationOrder" : 6

[Pablo Vidaurri]

Should you be able to verify the released attributes in cas/status/attrresolution ... I assume if a user logs in via cas, you can go to attrresolution page, enter their id and view released attributes. I don't see anything though

[Misagh Moayyed]

No. You should see resolved attributes; that's why the endpoint says /attrresolution. If it was /attrrelease, then you'd be right. 

And you'd only see attributes if you have attribute repositories set up. 

---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6a9ed62-2e93-412c-8d8b-bb57128358cc%40apereo.org.

--

--Misagh

[Zach Tackett]

I also need to figure out how to do this, Any help would be much appreciated.

[Mac Reid]

Assuming a working ldap attribute repository, we added the following line to our cas.properties:

cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER

In the above line, the udcid is the ldap attribute and the UDC_IDENTIFIER is the CAS name for the attribute.

In our Banner service file, we have the following:

  attributeReleasePolicy: {

    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy

    allowedAttributes: ["java.util.ArrayList", ["UDC_IDENTIFIER"]]

  }

For reference: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#ldap

- Mac

[Zach Tackett]

I tried what you mentioned and everytime I rebuild the CAS server it breaks because it doesn't like the .attributeRepository part of the attribute

[Daniel Widrick]

note that the attributeRepository is part of a services JSON file. not the cas.properties file. Ours looks as as follows because of some weirdness with attribute names previously.

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "https://.*",

  "name" : "HTTPS",

  "id" : 1,

  "description" : "HTTPS protocol wildcard service.",

  "evaluationOrder" : 10000,

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

    "allowedAttributes" : {

        "@class" : "java.util.TreeMap",

        "UDC_IDENTIFIER" : "UDC_IDENTIFIER",

        }

  }

}

Daniel Widrick

Lead Programmer Analyst/Systems Administrator

SUNY Polytechnic Institute

100 Seymour Road

Utica, NY 13502

Help Desk: 315.792.7440

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/37137678-7743-4ebd-8884-5ef5578d3de7%40apereo.org.

[Matthew Uribe]

Hi Zach,

I think you're leaving everyone here in the position of having to assume which version of CAS you're using, as well as what you currently have in place. Do you have a working CAS server now? What version are you working on?

Thanks,

Matt

[Zach Tackett]

The CAS server is working, we are using 5.0. Currently getting CAS to map the employeeID to the UDC_IDENTIFIER internally, but it is not mapping it externally in our test data being dumped after logging in.

[Zach Tackett]

This is the data we are getting back externally

array(7) {
  ["samlAuthenticationStatementAuthMethod"]=>
  string(39) "urn:oasis:names:tc:SAML:1.0:am:password"
  ["isFromNewLogin"]=>
  string(4) "true"
  ["authenticationDate"]=>
  string(47) "2018-11-13T09:47:56.786-05:00[America/New_York]"
  ["authenticationMethod"]=>
  string(25) "LdapAuthenticationHandler"
  ["successfulAuthenticationHandlers"]=>
  string(25) "LdapAuthenticationHandler"
  ["longTermAuthenticationRequestTokenUsed"]=>
  string(5) "false"
  ["employeeNumber"]=>
  string(32) "1D89EC8ECD92959EE050650AEC077B26"
}


Internally when the server is running it is showing

2018-11-13 10:37:55,475 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [tackettz] and attributes {cn=tackettz, displayname=Tackett, Zachary, givenName=Zachary, LdapAuthenticationHandler.dn=cn=tackettz,ou=Office365,dc=marshall,dc=edu, sAMAccountName=tackettz, sn=Tackett, UDC_IDENTIFIER=1D89EC8ECD92959EE050650AEC077B26} with credentials [tackettz].>

On Tuesday, November 13, 2018 at 10:28:31 AM UTC-5, Matthew Uribe wrote:

[Matthew Uribe]

Zach,

Looking at the docs for 5.0 I see that it doesn't seem to support multiple LDAP servers, so the cas.authn.attributeRepository.ldap[0].attributes.udcid=UDC_IDENTIFIER that you see in other posts here would actually be more like this: cas.authn.attributeRepository.attributes.udcid=UDC_IDENTIFIER  but obviously setting "employeeNumber" rather than "udcid" to the UDC_IDENTIFIER attribute.

I'm not sure if that's where your problem is, since you are getting the UDC_IDENTIFIER name for it in the cas.log file, but I point it out because it does differ from what those with later version of CAS will be using. 

What do you have in the service registry? Are you releasing all attributes, or just specific named attributes?

Matt

[Baron Fujimoto]

We achieve this with 5.0.x with the equivalent of the following in our service registy entry:

"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",

"udcid" : "UDC_IDENTIFIER",

--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum