Mike,
I can confirm this behaviour.
DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The change was in 5bcef20 about 5 months ago.
The old behaviour was to select the first principle in a list; new behaviour defaults to last.
Even setting this property,
cas.person-directory.principal-resolution-conflict-strategy=first
does not work.
Printing the list of principals immediately before PrincipalElectionStrategyConflictResolver is invoked:
2024-04-11 23:40:23,144 ERROR [ org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - <principal: SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], description=[ROLE_ADMIN], domain=[
uvic.ca], ...
2024-04-11 23:40:23,144 ERROR [ org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - <principal: SimplePrincipal(id=rbon, attributes={duoAud=[...], duoAuthCtxAccessDeviceIp=[...], ...
The principal id's are the same (so merging attributes should work).
Our setup fetches attributes after authentication (instead of at the time of authentication) but before duo flow.
I will investigate if there is an effect of when ldap attributes are retrieved; as well as look into other possible config settings that might affect attribute merging.
Ray
On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.