Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Fabio Martelli]

Hi All, I would like to retrieve user principal attributes from a php
application.

I successfully configured mod_auth_cas but at the moment I'm just able
to retrieve the principal name in HTTP Header.

Can you share a piece of code that can help me with my php application?

Thank you in advance.

BR,

F.

--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email&pk_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

[Kapetanakis Giannis]

On 19/07/17 18:27, Fabio Martelli wrote:
> Hi All, I would like to retrieve user principal attributes from a php
> application.
>
> I successfully configured mod_auth_cas but at the moment I'm just able
> to retrieve the principal name in HTTP Header.
>
> Can you share a piece of code that can help me with my php application?
>
> Thank you in advance.
>
> BR,
>
> F.
>

Maybe you can get it from $_SERVER['REMOTE_USER']

alternative options:

a) do the authentication in PHP with phpCAS and not in apache
b) check if user is authenticated in php (again with phpCAS) and get
what ever attribute you need (including attributed returned by CAS)

G
ps.
https://github.com/apereo/phpCAS/blob/master/docs/examples/example_hardening.php
https://wiki.jasig.org/display/casc/phpcas+examples

[David Curry]

You need to have mod_auth_cas configured to use the "samlValidate" endpoint on the CAS server, and also have the "CASAuthNHeader" setting turned on in /etc/httpd/conf.d/cas.conf (or wherever your config file is). Like this:

<Directory "/var/www/html/secure">

    <IfModule mod_auth_cas.c>

        AuthType        CAS

        CASAuthNHeader  On

    </IfModule>

    Require valid-user

</Directory>

<IfModule mod_auth_cas.c>

    CASLoginUrl         https://cas.example.com/cas/login

    CASValidateUrl      https://cas.example.com/cas/samlValidate

    CASCookiePath       /var/cache/httpd/mod_auth_cas/

    CASValidateSAML     On

    CASSSOEnabled       On

    CASDebug            Off

</IfModule>

This will give you a bunch of headers whose names begin with "CAS_". If you want a different prefix instead of "CAS_", you can set it with the "CASAttributePrefix" option.

Anyway, then in your PHP script, you can have something like this:

      <?php

            echo "<pre>";

        if (array_key_exists('REMOTE_USER', $_SERVER)) {

            echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "</br>";

        }

        $headers = getallheaders();

        foreach ($headers as $key => $value) {

            if (strpos($key, 'CAS_') === 0) {

            echo substr($key, 4) . " = " . $value . "</br>";

            }

        }

        echo "</pre>";

      ?>

to print them all out. Note that you will get more than just the attributes you released; you'll also get some other information from the CAS server. For example, on my current devel setup, which authenticates against Active Directory first and LDAP second, and merges attributes from both, I get:

REMOTE_USER = curryd

AuthenticationMethod = Active Directory

displayName = David Curry

successfulAuthenticationHandlers = Active Directory

cn = xxxxxxxxx

EmailAddress = David...@newschool.edu

Role = staff

samlAuthenticationStatementAuthMethod = urn:oasis:names:tc:SAML:1.0:am:password

uid = curryd

UDC_IDENTIFIER = xxxxxxx

Active-Directory.curryd = cn=curryd,ou=TNSUsers,dc=tns,dc=newschool,dc=edu

sn = Curry

Formatted-Name = David

Hope this helps,

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea919a47-a804-89e6-7a24-9563f2b2f4a6%40edu.physics.uoc.gr.

[David Hawes]

Just wanted to +1 Dave's reply. Good stuff.

I also wanted to note that CASv2 attributes from /serviceValicate are
now supported in git master, if you need to go that route.

https://github.com/apereo/mod_auth_cas/pull/110

[Fabio Martelli]

Hi David, thank you for your reply.
I did as you suggested successfully. Please note: to have the configuration working fine mod_auth_cas master is required (as reported into [1]).


Thank you again and best regards,
F.

[1] https://www.mail-archive.com/cas-...@lists.jasig.org/msg17023.html

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANeJTz4F-YMqstp%3DNtXd-LAUqXefas3jPvPJJXiT9fguQ%40mail.gmail.com.

[Mukunthini Jeyakumar]

Hi David,

I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I turn on CASValidateSAML and configure saml endpoint I'm getting the following error

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

But I was able to get the principal user id without SAML endpoint

I'm using CAS 5.2.2

Thanks

Thini

[David Hawes]

Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG

> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1892e8-e858-459a-9107-6b1b93d46ac2%40apereo.org.

[Mukunthini Jeyakumar]

Hi dhawes,

With the debug on,

[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client 129.100.6.30] Entering cas_authenticate(), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client 129.100.6.30] Modified r->args (now ''), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client 129.100.6.30] entering getResponseFromServer(), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client 129.100.6.30] CAS Service 'https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php', referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php

[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client 129.100.6.30] Validation response: <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.23</h3></body></html>, referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php

[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client 129.100.6.30] entering isValidCASTicket(), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client 129.100.6.30] MOD_AUTH_CAS: response = <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.23</h3></body></html>, referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php

[Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: syntax error (2), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php

>>>> MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: syntax error (2), referer: https://<farm-name>:8443/cas/login?service=https%3a%2f%2f<hostname>%2freturn-mapped%2findex.php

Thanks

Thini

[David Hawes]

Are you sure your server supports /samlValidate? Are you able to use
/serviceValidate?

Post your full mod_auth_cas config here.

The 406 you see is from the CAS server. Do you have any logs on the
CAS server that indicate why the request failed?

> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

[Mukunthini Jeyakumar]

Hi

I'm seeing the same error even If I use /serviceValidate endpoint. As soon as I turn on CASValidateSAML, I'm getting the error

Here is my mod_auth_cas. (I've used David Curry's Guide )

LoadModule auth_cas_module modules/mod_auth_cas.so

<Directory "/var/www/html/secured-by-cas">

   <IfModule mod_auth_cas.c>
        AuthType CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user

</Directory>

<Directory "/var/www/html/return-mapped">

    <IfModule mod_auth_cas.c>
        AuthType        CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
   CASCertificatePath /etc/pki/tls/certs/
    CASCookiePath /var/lib/cas/
    CASValidateURL https://<farm-name>:8443/cas/serviceValidate
#    CASValidateURL https://<farm-name>:8443/cas/samlValidate
    CASLoginURL https://<farm-name>:8443/cas/login
    CASSSOEnabled         On
    CASDebug              On
    CASValidateSAML       On
        LogLevel debug
</IfModule>

From the CAS Server, I do see the SERVICE_TICKET_CREATED but I don't see the Service Validation

But I'm seeing the following warning.

2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound] - <Request method 'POST' not supported>

I'm using CAS 5.2.2 and mod_auth_cas from github 9https://github.com/apereo/mod_auth_cas)

And I've added support for SAML when I build the CAS

        <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-saml</artifactId>
                <version>${cas.version}</version>
        </dependency>

Thanks

Thini

[David Hawes]

Use:

CASValidateURL https://<farm-name>:8443/cas/serviceValidate

CASValidateSAML Off

or:

CASValidateURL https://<farm-name>:8443/cas/samlValidate

CASValidateSAML On

What you have posted here will not work.

> 2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound]
> - <Request method 'POST' not supported>

SAML validation requires POST. Make sure you aren't mixing up your
directives (see above) and ensure that you can POST to
https://<farm-name>:8443/cas/samlValidate.

[Mukunthini Jeyakumar]

Thanks dhawes.

I'm using the php code to print the values retuned in the header

 <?php
        foreach (getallheaders() as $name => $value) {
        echo "$name: $value\n";
        }
      ?>

I've no issues if I use serviceValidate, but I'm only getting the username, I do not see the rest of the attributes released 

CASValidateURL https://<farm-name>:8443/cas/serviceValidate
CASValidateSAML       Off

if I use SAML then I get error

CASValidateURL https://<farm-name>:8443/cas/samlValidate
CASValidateSAML       On

I already built CAS with SAML 1.1 by adding  cas-server-support-saml,

Thanks

Thini

[David Hawes]

On Thu, Feb 15, 2018 at 2:51 PM, Mukunthini Jeyakumar
<mukun...@gmail.com> wrote:
> Thanks dhawes.
>
> I'm using the php code to print the values retuned in the header
> <?php
> foreach (getallheaders() as $name => $value) {
> echo "$name: $value\n";
> }
> ?>
>
> I've no issues if I use serviceValidate, but I'm only getting the username,
> I do not see the rest of the attributes released
>
> CASValidateURL https://<farm-name>:8443/cas/serviceValidate
> CASValidateSAML Off

Do you see the attributes in the validation response? You can see this
in the debug logs.

Note that only the code in master supports CASv2 attributes. If you
see the attributes in the validation response, try mod_auth_cas
master.

> if I use SAML then I get error
>
> CASValidateURL https://<farm-name>:8443/cas/samlValidate
> CASValidateSAML On
>
>
> I already built CAS with SAML 1.1 by adding cas-server-support-saml,

This sounds like a CAS server issue. Have you verified /samlValidate
is working? What does the validation response look like?

[Francois Campbell]

Posting to an old thread, but I too struggled to get attributes visible in php

After making the following changes mine came through

If you have specified the CAS version in /etc/httpd/conf.d/cas.conf, comment it out.

#     CASVersion 2

CASValidateUrl        https://<farm-name>/cas/samlValidate

CASValidateSAML       On

In CAS itself ensure that the following are also present for each LDAP config, in etc/cas/config/cas.properties

cas.authn.attributeRepository.merger:   ADD

cas.authn.ldap[0].principalAttributeList=cn,sn,mail

For me the attributeRepository.ldap attributes did not display on the client side.

e.g cas.authn.attributeRepository.ldap[0].attributes.

[Mac Reid]

Hi,

The option `CASAuthNHeader On` must be configured in an .htaccess or a directory/location directive. That will add headers that look like:

CAS_uid => mac

CAS_mail => mar...@mtu.edu

- Mac