Conditional attributes via LDAP group membership
108 views
Skip to first unread message
Michael Wisenbaker
Aug 27, 2020, 11:47:23 AM8/27/20
to CAS Community
Is it possible to have a flow within CAS that provides differing attributes to the SP based upon ldap group membership? For example, for members of GROUP1 attribute x=value and for members of GROUP2 attribute x=someothervalue?
For a more concrete example - my org uses CAS for Zoom integration, one of the attributes passed through is an identifier drawn from an ldap source, but in some cases it would be preferable that this attribute could be modified without changing the ldap source
Thanks.
Ray Bon
Aug 27, 2020, 12:56:38 PM8/27/20
to cas-...@apereo.org
Michael,
Is this what you are looking for: https://apereo.github.io/cas/6.2.x/integration/Attribute-Value-Release-Policies.html#mutant-mapped-regex
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Michael Wisenbaker
Aug 27, 2020, 2:33:48 PM8/27/20
to CAS Community, Ray Bon
Ray,
Warning: I've never touched CAS, I'm trying to find ways to make our use case work to suggest them to the proper folks.
In pseudocode what I am looking for is:
if memberOf Group1 {
attribute value = x
}else{
attribute value = y
}
I'm not sure if any of the regex filters would apply, but this seems like something that could be accomplished via a Groovy script?
We currently pass an HR identifier to Zoom that determines which org/sub-org an account is in, but it would be beneficial to be able to over-ride this value for certain individuals; e.g. students that have no HR identifier.
I appreciate that you took the time to respond to my OP!
Robert Bond
Aug 27, 2020, 3:01:03 PM8/27/20
to cas-...@apereo.org, Ray Bon
I have done this with one of our services.
Here is the groovy code to handle something similar. Probably not the cleanest.
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"mail" : "groovy {return attributes['emailAddress'] }",
"userType" : "groovy {def r=[];def a=['student','employee','faculty'];for(x in attributes['memberOf']){for(y in a){if(x.toLowerCase().contains(y)){r+=y};};};return r.unique();}"
}
}
You can build out the logic in an online groovy interpreter like https://groovy-playground.appspot.com/ then make it one line and throw it in a service registry entry.
Hope this helps!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7fb34e7c-53d7-4c1a-a228-5d5d1af70da9n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages