SAML delegated authentication - Authentication attributes missing in the user profile
67 views
Skip to first unread message
David Oteo
Nov 13, 2018, 9:48:15 AM11/13/18
to CAS Community
Hi,
We configured CAS 5.2.2 to delegate authentication to an external IdP through SAML. In the SAML response there is an "AuthnContext" tag that does not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that this functionality was added to pac4j v2.2.
I see this in the logs:
[13/11/18 15:13:42:484 CET] 00000147 SystemOut O 2018-11-13 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] - <adding => key: authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert] / class java.util.ArrayList>
but the attribute is not present in the user profile:
[13/11/18 15:13:42:547 CET] 00000147 SystemOut O 2018-11-13 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile: #SAML2Profile# | id: CN=CORPREC FICTICIO ACTIVO, O=EMPTY | attributes: {country=[ES], cif=[Q3890349H], birthdate=[EMPTY], key_usage=[EMPTY], not_before=[2017-03-16T12:15:29Z], subject=[SERIALNUMBER=99999988J, OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543, CN=CORPREC FICTICIO ACTIVO, OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE, C=ES], tsl=[S], issuer=[CN=CA personal de AAPP vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES], notBefore=2018-11-13T14:13:41.480Z, surname1=[FICTICIO], surname2=[ACTIVO], dni=[99999988J], email=EMPTY, tipoAfirma=[0], firmaCualificada=[S], naturalPersonSemanticsIdentifier=[IDCES-99999988J], legalPersonSemanticsIdentifier=[VATES-Q3890349H], serial_number=[C6o=], preferencia_otp=[sms], given_name=[CORPREC], pais=[ES], not_after=[2021-03-16T12:15:29Z], register_type=[1], policy_identifier=[1.3.6.1.4.1.14777.104.2], person_status=[PF], organization=[EMPTY], domain=[izenpe], name=[CORPREC FICTICIO ACTIVO], notOnOrAfter=2018-11-13T14:18:41.480Z, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |>
What am I missing here?
Thank you very much once again!!
Best regards,
David.
We configured CAS 5.2.2 to delegate authentication to an external IdP through SAML. In the SAML response there is an "AuthnContext" tag that does not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that this functionality was added to pac4j v2.2.
I see this in the logs:
[13/11/18 15:13:42:484 CET] 00000147 SystemOut O 2018-11-13 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] - <adding => key: authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert] / class java.util.ArrayList>
but the attribute is not present in the user profile:
[13/11/18 15:13:42:547 CET] 00000147 SystemOut O 2018-11-13 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile: #SAML2Profile# | id: CN=CORPREC FICTICIO ACTIVO, O=EMPTY | attributes: {country=[ES], cif=[Q3890349H], birthdate=[EMPTY], key_usage=[EMPTY], not_before=[2017-03-16T12:15:29Z], subject=[SERIALNUMBER=99999988J, OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543, CN=CORPREC FICTICIO ACTIVO, OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948, OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko, OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE, C=ES], tsl=[S], issuer=[CN=CA personal de AAPP vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES], notBefore=2018-11-13T14:13:41.480Z, surname1=[FICTICIO], surname2=[ACTIVO], dni=[99999988J], email=EMPTY, tipoAfirma=[0], firmaCualificada=[S], naturalPersonSemanticsIdentifier=[IDCES-99999988J], legalPersonSemanticsIdentifier=[VATES-Q3890349H], serial_number=[C6o=], preferencia_otp=[sms], given_name=[CORPREC], pais=[ES], not_after=[2021-03-16T12:15:29Z], register_type=[1], policy_identifier=[1.3.6.1.4.1.14777.104.2], person_status=[PF], organization=[EMPTY], domain=[izenpe], name=[CORPREC FICTICIO ACTIVO], notOnOrAfter=2018-11-13T14:18:41.480Z, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] | isRemembered: false | clientName: null | linkedId: null |>
What am I missing here?
Thank you very much once again!!
Best regards,
David.
Jérôme LELEU
Nov 13, 2018, 10:45:50 AM11/13/18
to cas-...@apereo.org
Hi,
You are missing nothing. pac4j authentication attributes are not used to build the CAS principal, only the user attributes.
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b40c3d58-1281-43e8-917b-8e76ca204241%40apereo.org.
David Oteo
Nov 14, 2018, 8:05:56 AM11/14/18
to CAS Community
Hello,
Alright! Would it be possible to access authentication attributes in CAS during authentication process?
We are using a groovy script to map the final user attributes released in the Principal and the authentication attributes are not present in the "
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://.*",
"name": "HTTPS",
"id": 10000001,
"evaluationOrder": 10000,
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "principalId"
},
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.GroovyScriptAttributeReleasePolicy",
"groovyScript": "classpath:/cas/config/services/mapearAtributos.groovy"
}
}
Besides, I observed that the script runs twice per user authenticated. This only happens when the username attribute provider is configured to return an attribute that is already resolved for the principal as seen above. Not a big deal but, is there a way to prevent the script running twice?
Thank you!!
Best regards,
David.
Alright! Would it be possible to access authentication attributes in CAS during authentication process?
We are using a groovy script to map the final user attributes released in the Principal and the authentication attributes are not present in the "
currentAttributes" parameter passed to the script either (guess this is normal){
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://.*",
"name": "HTTPS",
"id": 10000001,
"evaluationOrder": 10000,
"usernameAttributeProvider": {
"@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "principalId"
},
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.GroovyScriptAttributeReleasePolicy",
"groovyScript": "classpath:/cas/config/services/mapearAtributos.groovy"
}
}
Besides, I observed that the script runs twice per user authenticated. This only happens when the username attribute provider is configured to return an attribute that is already resolved for the principal as seen above. Not a big deal but, is there a way to prevent the script running twice?
Thank you!!
Best regards,
David.
Reply all
Reply to author
Forward
0 new messages