SAML2 attributes modified based on some events
34 views
Skip to first unread message
Michele Zanarotti
Oct 28, 2020, 7:48:38 AM10/28/20
to CAS Community
Hello.
groovyScript: file:./config/scripts/serviceXAttributeReleasePolicy.groovy
I'm using cas 5.3, succesfully configured it with SAML2 support.
For every service I have a specialized groovy script that rewire the attributes for the specific endpoint.
Until now the authentication query gave me all I needed to build SAML2. The authentication query is done via Sql (postgres).
The RelayState was sufficient for extra attributes depending on other's apps sessions.
But now I need to modify SAML2 attributes in real time, based on some events (read from a database or some other dynamic source.)
For example i want to let a service know if a user changed something in his setting, without make him re-authenticate (something that changes very often).
I thought I could use a database query directly from the script.
Is it possible? I can't find anything about doing that in a script or a java class. I would like to re-use existing jdbc datasource.
snippet of serviceX.yml:
attributeReleasePolicy: !<org.apereo.cas.support.saml.services.GroovySamlRegisteredServiceAttributeReleasePolicy>groovyScript: file:./config/scripts/serviceXAttributeReleasePolicy.groovy
snippet of groovy script:
import java.util.*
import org.apereo.cas.support.saml.services.*
import org.apereo.cas.support.saml.*
import groovy.json.JsonSlurper
def Map<String, Object> run(final Object... args) {
def attributes = args[0]
def service = args[1]
def resolver = args[2]
def facade = args[3]
def entityDescriptor = args[4]
def applicationContext = args[5]
def logger = args[6]
// Something like that
def ds = getDataSource(applicationContext)
// ... do the query for the current user in attributes
Ray Bon
Oct 28, 2020, 12:18:38 PM10/28/20
to cas-...@apereo.org
Michele,
Are you saying that this service will periodically send the user back to cas to get updated attributes/re-authenticate (that is the service has a very short session, say 20m)?
Perhaps you could turn off attribute caching, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Caching.html
It may make more sense for the service to query, directly, the data source for the change.
Ray
On Wed, 2020-10-28 at 04:48 -0700, Michele Zanarotti wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Reply all
Reply to author
Forward
0 new messages