Can I make use of XML attributes in a serviceValidate response for authorization control?
204 views
Skip to first unread message
Bryan K. Walton
Feb 22, 2018, 4:14:43 PM2/22/18
to cas-...@apereo.org
We have a mod_auth_cas installation where the CAS server on the other
end is sending us XML attributes in their response. I don't have any
details on their CAS server version. What I do know is that we are
using the serviceValidate url for validation. The CAS server, in
question, does NOT have a samlValidate url option for us.
When a user authenticates to our application, we get a validation
response from their CAS server that looks like this:
[Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
<cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas"><cas:authenticationSuccess><cas:user>jdoe</cas:user><cn><![CDATA[---
- John Doe
]]></cn><campusstatus><![CDATA[---
- Staff
]]></campusstatus><sn><![CDATA[---
- Doe
]]></sn><departmentnumber><![CDATA[---
- Student Affairs
]]></departmentnumber><givenname><![CDATA[---
- John
]]></givenname></cas:authenticationSuccess></cas:serviceResponse>
As long as we use require valid-user, everything is fine, and users gain
access to the application.
My question, can mod_auth_cas work with these XML attributes
for authorization control, without having access to a samlValidate url
option? For example, we would like to instruct Apache to limit access
to those users who have "Staff" in the the "<campusstatus>" element.
Thanks!
Bryan
end is sending us XML attributes in their response. I don't have any
details on their CAS server version. What I do know is that we are
using the serviceValidate url for validation. The CAS server, in
question, does NOT have a samlValidate url option for us.
When a user authenticates to our application, we get a validation
response from their CAS server that looks like this:
[Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
<cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas"><cas:authenticationSuccess><cas:user>jdoe</cas:user><cn><![CDATA[---
- John Doe
]]></cn><campusstatus><![CDATA[---
- Staff
]]></campusstatus><sn><![CDATA[---
- Doe
]]></sn><departmentnumber><![CDATA[---
- Student Affairs
]]></departmentnumber><givenname><![CDATA[---
- John
]]></givenname></cas:authenticationSuccess></cas:serviceResponse>
As long as we use require valid-user, everything is fine, and users gain
access to the application.
My question, can mod_auth_cas work with these XML attributes
for authorization control, without having access to a samlValidate url
option? For example, we would like to instruct Apache to limit access
to those users who have "Staff" in the the "<campusstatus>" element.
Thanks!
Bryan
David Hawes
Feb 22, 2018, 6:05:27 PM2/22/18
to CAS Community
attributes with /serviceValidate (note that you must use git master
for this support).
The payload above does not look like what I would expect, which is
outlined here:
https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30
It will not be parsed correctly and you will not be able to use those
values for authorization without modifying mod_auth_cas.
/serviceValidate in mod_auth_cas expects <cas:attributes/>.
Bryan K. Walton
Feb 26, 2018, 9:28:03 AM2/26/18
to cas-...@apereo.org
On Thu, Feb 22, 2018 at 06:04PM -0500, Dawid Hawes wrote:
>> for authorization control, without having access to a samlValidate url
>> option? For example, we would like to instruct Apache to limit access
>> to those users who have "Staff" in the the "<campusstatus>" element.
>
>> for authorization control, without having access to a samlValidate url
>> option? For example, we would like to instruct Apache to limit access
>> to those users who have "Staff" in the the "<campusstatus>" element.
>
>mod_auth_cas supports SAML attributes with /samlValidate and CASv2
>attributes with /serviceValidate (note that you must use git master
>for this support).
>
>The payload above does not look like what I would expect, which is
>outlined here:
>
>https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30
>
>It will not be parsed correctly and you will not be able to use
>those
>values for authorization without modifying mod_auth_cas.
>/serviceValidate in mod_auth_cas expects <cas:attributes/>.
Thanks for the reply, David. This makes perfect sense to me. If we
>attributes with /serviceValidate (note that you must use git master
>for this support).
>
>The payload above does not look like what I would expect, which is
>outlined here:
>
>https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30
>
>It will not be parsed correctly and you will not be able to use
>those
>values for authorization without modifying mod_auth_cas.
>/serviceValidate in mod_auth_cas expects <cas:attributes/>.
want to pursue this further, we will use git master and modify the code.
Thanks!
Bryan
Reply all
Reply to author
Forward
0 new messages