SAMLReponse Add new Attributes

[Andrey Seledkov]

Hi team.

When I worked with with SAML between CAS as IDp and Keycloak as SP , i cannot add addition attribute like firstName, lastName

my cas seetings

cas.authn.attributeRepository.jdbc[0].singleRow=true

cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true

cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}

cas.authn.attributeRepository.jdbc[0].username=USERNAME

cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver

cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}

cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}

cas.authn.attributeRepository.jdbc[0].url=${DB_URL}

cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName

cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName

my json file

{

  "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId": "service-id-here",

  "name": "name-here",

  "id": 10000010,

  "evaluationOrder": 1,

  "metadataLocation": "file:/etc/cas/saml/saml.xml",

  "attributeReleasePolicy": {

    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "allowedAttributes": [

      "firstName",

      "lastName"

    ]

  }

}

But when i redirect to Keycloak  I dont see any additional attributes in SAMLReponse, could you please assist

[Matthew Uribe]

Andrey,

I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I have the following json for one of our SPs:

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "service-id-here",

  "name" : "name-here",

  "id" : 1001,

  "metadataLocation" : "https://service.address/SAML/Metadata",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

    "allowedAttributes" : {

      "@class" : "java.util.TreeMap",

      "cn" : "urn:oid:2.5.4.3",

      "mail" : "urn:oid:0.9.2342.19200300.100.1.3"

    }

  },

  "evaluationOrder" : 25

}

Have you tried using the Attribute Resolution & Release feature in the CAS Dashboard to see what is being released by CAS?

Matt

[Andrey Seledkov]

I will try ,  but what is 'cn' and 'mail' here?

For my task I need to put in SamlResponse fisrtName and lastName which I retrieved from database 

понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe написал:

[Matthew Uribe]

Andrey,

cn and mail are attributes from my LDAP that are being released to the SP. Based on the Internet2 attribute release policy, firstName (givenName) is urn:oid:2.5.4.42, while lastName (sn) is urn:oid:2.5.4.4

https://www.internet2.edu/help/attribute-release-policy/

If your SP is looking for specific attributes, they may need to be mapped according to this Internet2 standard.

Hopefully that helps.

[Andrey Seledkov]

Cas version is 6


Nothing changed , i got SamlResponse without new attributes

Maybe i miss something


понедельник, 3 июня 2019 г., 18:39:20 UTC+3 пользователь Matthew Uribe написал:

[Matthew Uribe]

I haven't tried CAS 6 yet, but according to the documentation, at least for the attribute release, it's pretty much the same as the version I'm using. Since you are using the "Return Allowed" policy, your json (attribute portion) might need to look more like this:

"attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "allowedAttributes" : [ "java.util.ArrayList", [ "firstName", "lastName" ] ]

  } 

Otherwise try the Mapped Attribute release policy, so that you may send the attributes to the SP using the naming in the OASIS Standard, which would look like this:

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

    "allowedAttributes" : {

      "@class" : "java.util.TreeMap",

      "firstName" : "urn:oid:2.5.4.42",

      "lastName" : "urn:oid:2.5.4.4"

    }

  }

https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html

[Andy Ng]

Hi Andrey,

Can you try ReturnAllAttributeReleasePolicy, see if is the policy that have problem, or is the release of attribute not correct.

https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all

Cheers!

- Andy

[Andrey Seledkov]

Nothing helps

my property file has next properties

cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=${SERVER_NAME}
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
cas.authn.samlIdp.attributeQueryProfileEnabled=true

вторник, 4 июня 2019 г., 4:20:53 UTC+3 пользователь Andy Ng написал:

[Matthew Uribe]

Do you have any other SPs working with this CAS instance, or is this your first?

[Andrey Seledkov]

It is my first,
Keycloak provide me 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID=" entity id here">

    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"

            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://bla-bla/broker/saml/endpoint"/>

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

        </NameIDFormat>

        <AssertionConsumerService

                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://bla-bla/broker/saml/endpoint"

                index="1" isDefault="true" />

    </SPSSODescriptor>

</EntityDescriptor>

what I noticed , I caught exception

WHO: fberdugo

WHAT: [issuer=http://localhost:8443/cas/idp,destination=http://bla-bla/broker/saml/endpoint]

ACTION: SAML2_RESPONSE_CREATED

APPLICATION: CAS

WHEN: Wed Jun 05 10:06:03 UTC 2019

CLIENT IP ADDRESS: 192.168.1.3

SERVER IP ADDRESS: 172.21.82.63

=============================================================

>

2019-06-05 10:06:03,986 INFO [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController] - <Built the SAML response for ['bla bla here']>

2019-06-05 10:06:04,417 INFO [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController] - <Received SAML callback profile request [/cas/idp/profile/SAML2/Callback]>

2019-06-05 10:06:04,472 WARN [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [ST-1-93FkJllO7deg1GefbwSXjeNeQ7w6e26c3311c11] does not exist.>

2019-06-05 10:06:04,475 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: ST-1-93FkJllO7deg1GefbwSXjeNeQ7w6e26c3311c11

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Wed Jun 05 10:06:04 UTC 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

=============================================================

>

2019-06-05 10:06:04,504 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-1-93FkJllO7deg1GefbwSXjeNeQ7w6e26c3311c11' not recognized] with root cause>

org.jasig.cas.client.validation.TicketValidationException: Ticket 'ST-1-93FkJllO7deg1GefbwSXjeNeQ7w6e26c3311c11' not recognized

at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84) ~[cas-client-core-3.5.1.jar!/:3.5.1]

at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198) ~[cas-client-core-3.5.1.jar!/:3.5.1]

at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlProfileCallbackHandlerController.java:132) ~[cas-server-support-saml-idp-web-6.0.3-SNAPSHOT.jar!/:6.0.3-SNAPSHOT]

at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlProfileCallbackHandlerController.java:119) ~[cas-server-support-saml-idp-web-6.0.3-SNAPSHOT.jar!/:6.0.3-SNAPSHOT]

at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]

And do I need to do somehting with idp-metadata.xml , which was generated automatically by CAS?


вторник, 4 июня 2019 г., 20:12:16 UTC+3 пользователь Matthew Uribe написал:

[Andy Ng]

From your log, seems like you are using http, is that true? If yes, try changing to https, CAS doesn't work well with http. -Andy

[Andrey Seledkov]

The same with https

среда, 5 июня 2019 г., 14:53:40 UTC+3 пользователь Andy Ng написал:

[Andy Ng]

Hi Andrey,

I do know for a fact that my CAS 5.3.x is running with SAML as idp and connecting to other SAML sp just fine (multiple SAML client, including SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me.

So... Maybe if you still can't successfully connect to SAML, it could be the following:
- Maybe CAS 6 have bug
- Maybe keycloak doesn't actually return the attribute to you (highly doubt it)

- Maybe your config is wrong (which is unlikely, from what you provide it seems the config is ok)

So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a big jump, so it is possible that there is some obscure bug that discovered first by you.

- Andy

[Andrey Seledkov]

In docs

In order to allow CAS to support and respond to attribute queries, you need to make sure the generated metadata has the AttributeAuthorityDescriptor element enabled

I noticed that when i put

cas.authn.samlIdp.attributeQueryProfileEnabled=true

in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it is ignoring my flag

четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал:

[Matthew Uribe]

Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are others here doing so with CAS 6. In any case, I noticed in your log that your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name and related properties set? It looks like it's creating the SAML response, but then it can't find the service ticket, which could explain why your SP is not getting anywhere.

"name and prefix are always required settings"  https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#cas-server

[Andrey Seledkov]

It start to work, when I ran it without Docker, locally

These attributes enough to retrieve data in SAMLReponse

#cas.authn.attributeRepository.jdbc[0].singleRow=true
#cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
#
#cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
#cas.authn.attributeRepository.jdbc[0].username=USERNAME
#cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
#cas.authn.attributeRepository.jdbc[0].user=
#cas.authn.attributeRepository.jdbc[0].password=
#cas.authn.attributeRepository.jdbc[0].url=
#cas.authn.attributeRepository.defaultAttributesToRelease=firstName,lastName
#
#cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
#cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName

But when I ran it over Docker - nothing

четверг, 6 июня 2019 г., 16:48:36 UTC+3 пользователь Matthew Uribe написал:

[Andrey Seledkov]

Issue was resolved , mentioned settings are enough so that it will work 

пятница, 7 июня 2019 г., 14:41:59 UTC+3 пользователь Andrey Seledkov написал: