CAS 6.1.3 SAML and JSON

[stonej]

Hello All,

I am trying to move away from shibboleth IDP and move to CAS IDP but having a few issues, I have had a look at the documentation and this group and cannot seem to find the answer.  I need to pass certain attributes, these ones -

urn:oid:0.9.2342.19200300.100.1.3 - mail value email address

urn:oid:1.3.6.1.4.1.5923.1.1.1.1 - eduPersonAffiliation value member

urn:oid:1.3.6.1.4.1.5923.1.1.1.1 - eduPersonAffiliation value staff or student

urn:oid:1.3.6.1.4.1.5923.1.1.1.6 - eduPersonPrincipalName mail value email address

urn:oid:2.5.4.4 - sn value surname

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 - eduPersonScopedAffiliation value mem...@domain.com

urn:oid:1.3.6.1.4.1.5923.1.1.1.9 - eduPersonScopedAffiliation value staff or stu...@domain.com

urn:oid:2.5.4.42 - givenName value First Name

urn:oid:1.3.6.1.4.1.5923.1.1.1.10 - eduPersonTargetedID Value random id based on salt

urn:oid:1.3.6.1.4.1.5923.1.1.1.7 - eduPersonEntitlement value urn:mace:dir:entitlement:common-lib-terms

but I am getting : 

credentialType credentialType UsernamePasswordCredential

samlAuthenticationStatementAuthMethod samlAuthenticationStatementAuthMethod urn:oasis:names:tc:SAML:1.0:am:password

isFromNewLogin isFromNewLogin true

authenticationDate authenticationDate 2020-01-22T13:59:03.213799Z

urn:oid:0.9.2342.19200300.100.1.3 urn:oid:0.9.2342.19200300.100.1.3 em...@domain.com

authenticationMethod authenticationMethod LdapAuthenticationHandler

urn:oid:0.9.2342.19200300.100.1.1 urn:oid:0.9.2342.19200300.100.1.1 Username

successfulAuthenticationHandlers successfulAuthenticationHandlers LdapAuthenticationHandler

longTermAuthenticationRequestTokenUsed longTermAuthenticationRequestTokenUsed false

urn:oid:2.5.4.42 urn:oid:2.5.4.42 FirstName

urn:oid:2.5.4.4 urn:oid:2.5.4.4 Surname

Here is my JSON file:

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "SERVICE",

  "name" : "Apache Secured By SAML",

  "id" : 100000011,

  "description" : "CAS development Apache mod_shib/shibd server with username/password protection",

  "metadataLocation" : "file:////etc/cas/saml/metadata/metadata.xml",

  "encryptAssertions": "true",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

"allowedAttributes" : {

      "@class" : "java.util.TreeMap",

  "eppn" : "urn:mace:dir:attribute-def:eduPersonPrincipalName",

      "cn" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",

      "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",

      "givenName" : "urn:oid:2.5.4.42",

      "mail" : "urn:oid:0.9.2342.19200300.100.1.3",

      "role" : "urn:DOMAIN:attribute-def:role",

      "sn" : "urn:oid:2.5.4.4",

      "uid" : "urn:oid:0.9.2342.19200300.100.1.1",

      "UDC_IDENTIFIER": "urn:DOMAIN:attribute-def:UDC_IDENTIFIER",

  "eppn" : "urn:oid:0.9.2342.19200300.100.1.1"

  "affiliation" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"

  "affiliation" : "staff"

    }

"persistentIdGenerator" : {

      "@class" : "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",

      "salt" : "aGVsbG93b3JsZA==",

      "attribute": "eduPersonEntitlement"

    }

  },

  "evaluationOrder" : 1125

}

What am I doing wrong ?  I do have other files to prepare but I know if I can get this one working I can get the other ones working,

Thanks for all your help

Jeff

[Andy Ng]

Hi Jeff,

Have you tried allow all and see if the issue is due to the allowAttribute or other matter?

Setup allow all as such: https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all

Cheers!

- Andy

[stonej]

Hi Andy,

I have tried that so only this in the JSON:

{

  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

  "serviceId" : "SERVICE",

  "name" : "Apache Secured By SAML",

  "id" : 100000011,

  "description" : "CAS development Apache mod_shib/shibd server with username/password protection",

  "metadataLocation" : "file:////etc/cas/saml/metadata/metadata.xml",

  "encryptAssertions": "true",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

  }

  "evaluationOrder" : 1125

}

and still get: 

credentialType credentialType UsernamePasswordCredential

samlAuthenticationStatementAuthMethod samlAuthenticationStatementAuthMethod urn:oasis:names:tc:SAML:1.0:am:password

isFromNewLogin isFromNewLogin true

authenticationDate authenticationDate 2020-01-22T13:59:03.213799Z

urn:oid:0.9.2342.19200300.100.1.3 urn:oid:0.9.2342.19200300.100.1.3 em...@domain.com

authenticationMethod authenticationMethod LdapAuthenticationHandler

urn:oid:0.9.2342.19200300.100.1.1 urn:oid:0.9.2342.19200300.100.1.1 Username

successfulAuthenticationHandlers successfulAuthenticationHandlers LdapAuthenticationHandler

longTermAuthenticationRequestTokenUsed longTermAuthenticationRequestTokenUsed false

urn:oid:2.5.4.42 urn:oid:2.5.4.42 FirstName

urn:oid:2.5.4.4 urn:oid:2.5.4.4 Surname

I cannot seem to turn off the unwanted attributes :  credentialType, samlAuthenticationStatementAuthMethod, etc

and I cannot seem to add attributes - eduPersonEntitlement needs to be urn:mace:dir:entitlement:common-lib-terms

Would I need to write a Groovy script to do that ?

Thanks

Jeff

[Josh]

You dont need an allowedAttributes sections for this, just an attributeReleasePolicy like so:

   attributeReleasePolicy : {
        @class : org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
        allowedAttributes : {
            @class : java.util.TreeMap
            mail : "urn:oid:0.9.2342.19200300.100.1.3"
            gecos : "urn:oid:2.16.840.1.113730.3.1.241"
            eduPersonPrincipalName : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
        }
    }

[Josh]

Apologies, I see you have that already, I mis-read the original post :)

[Travis Schmidt]

To remove unwanted authentication attributes add excludeDefaultAttributes: true.  

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04d8a27f-bbf9-43f2-926a-67f1e07fc45d%40apereo.org.

[Andy Ng]

Hi Travis,

> To remove unwanted authentication attributes add excludeDefaultAttributes: true.

Oh we can do that?! Didn't knows about that and good to learn about this! Thanks Travis :)

Cheers!

- Andy

[stonej]

Hi All,

I am slowly getting there, although now I have hit another hurdle.

I need eduPersonTargetedID, now I can get that by using

{

"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",

"serviceId" : "https://DOMAIN",

"name" : "Apache Secured By SAML",

"id" : 100000011,

"description" : "CAS development Apache mod_shib/shibd server with username/password protection",

"metadataLocation" : "file:////etc/cas/saml/metadata/metadata.xml",

"encryptAssertions": "true",

"excludeDefaultAttributes" : "true",

"attributeReleasePolicy": {

"@class": "org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy",

"salt": "OqmG80fEKBQt",

"attribute": ""

}

}

But I cannot get any other attributes like FirstName, Surname etc.

And also the "excludeDefaultAttributes" : "true",  doesn't seem to work, not sure if I have put it in the correct place.

I have tried :

"allowedAttributes" : {

      "@class" : "java.util.TreeMap",

  "eppn" : "urn:mace:dir:attribute-def:eduPersonPrincipalName",

      "cn" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",

  "eduPersonPrincipalName" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",

      "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",

      "givenName" : "urn:oid:2.5.4.42",

      "mail" : "urn:oid:0.9.2342.19200300.100.1.3",

      "role" : "urn:hope.ac.uk:attribute-def:role",

      "sn" : "urn:oid:2.5.4.4",

      "uid" : "urn:oid:0.9.2342.19200300.100.1.1",

      "UDC_IDENTIFIER": "urn:hope.ac.uk:attribute-def:UDC_IDENTIFIER",

  "eppn" : "urn:oid:0.9.2342.19200300.100.1.1",

  "affiliation" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",

  "affiliation" : "staff",

  "excludeDefaultAttributes" : "true"

    }

"persistentIdGenerator" : {

      "@class" : "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",

      "salt" : ""OqmG80fEKBQt",

      "attribute": "eduPersonTargetedID"

    }

And that shows me the attributes but NOT the eduPersonTargetedID.  Do I have to use a Groovy script to pull all the attributes together ?

Thanks

Jeff

[Ray Bon]

Jeff,

'excludeDefaultAttributes' should be inside 'attributeReleasePolicy'.

Where are you defining 'FirstName' and 'Surname'?

If it is in the list of default attributes, then you want 'excludeDefaultAttributes=false'.

Add this to log4j2.xml:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

P.S. It would be easier to see what is going on if you the service definition was complete (just in case something else was in the wrong place).

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.