CAS 5.2 Passing LDAP Attributes to Application
510 views
Skip to first unread message
Bill Scully
Aug 31, 2018, 3:00:09 PM8/31/18
to CAS Community
Hi,
I'm having a hard time getting my head around where to start configuring CAS to provide LDAP attributes to the "RegisteredService" / application after authentication. I'm assuming there are 2 areas that I need to configure, cas.properties and service JSON files, but navigating the documentation to find what I need has been beyond me up to this point.
Can someone kindly point me to the right areas of https://apereo.github.io/cas/5.2.x/ or give me some tips on where I can figure out how to retrieve certain attributes from LDAP and share those selected values with the application? I hope I'm using "application" properly.
Thanks,
Bill
Ray Bon
Aug 31, 2018, 3:09:51 PM8/31/18
to cas-...@apereo.org
Bill,
Service config:
CAS config:
in particular, cas.authn.ldap[0].principalAttributeList
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Carl Waldbieser
Aug 31, 2018, 3:17:12 PM8/31/18
to cas-user
Bill,
In `cas.properties`, in your LDAP section, you want a property like this:
cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
That says that the principal that is authenticated should get the above list of LDAP attributes. For the ones that have 2 items separated by a colon, that is just a rename from the LDAP attribute to the name that will be exposed via CAS.
In your service file for an individual service, you specify what attributes from the above list you want to release. The following sections from a service file are an example:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
"@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"patterns": {
"@class" : "java.util.HashMap",
"memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
},
"excludeUnmappedAttributes": false,
"completeMatch": false,
"order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
},
The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to a specific value (because he attribute is multi-valued, and you usually only want to release only one or a few of the values to a service). The "allowedAttributes" section specifies what attributes from the principal will be released at all.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
In `cas.properties`, in your LDAP section, you want a property like this:
cas.authn.ldap[0].principalAttributeList=uid,givenName,sn:surname,mail:email,memberOf
That says that the principal that is authenticated should get the above list of LDAP attributes. For the ones that have 2 items separated by a colon, that is just a rename from the LDAP attribute to the name that will be exposed via CAS.
In your service file for an individual service, you specify what attributes from the above list you want to release. The following sections from a service file are an example:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"attributeFilter" : {
"@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"patterns": {
"@class" : "java.util.HashMap",
"memberOf": "cn=administrators,ou=groups,dc=example,dc=org"
},
"excludeUnmappedAttributes": false,
"completeMatch": false,
"order": 0
},
"allowedAttributes" : [ "java.util.ArrayList",
[
"uid",
"memberOf",
"email",
"givenName",
"surname"
]
]
},
The "attributeReleasePolicy" is used to filer the "memberOf" attribute down to a specific value (because he attribute is multi-valued, and you usually only want to release only one or a few of the values to a service). The "allowedAttributes" section specifies what attributes from the principal will be released at all.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac28e9bc-9bdf-4d1d-9d59-d99ad23d2dc9%40apereo.org.
Bill Scully
Aug 31, 2018, 5:02:05 PM8/31/18
to CAS Community
Thank you both for your helpful links and examples!
I haven't been able to successfully retrieve any specified attributes in our testing, but it may our client configuration.
On to troubleshooting!
Many, many thanks to both of you, again!
Bill Scully
Aug 31, 2018, 5:02:11 PM8/31/18
to CAS Community
Thank you both for your helpful links and examples!
I haven't been able to successfully retrieve any specified attributes in our testing, but it may our client configuration.
On to troubleshooting!
Many, many thanks to both of you, again!
On Friday, August 31, 2018 at 2:17:12 PM UTC-5, waldbiec wrote:
Bill Scully
Aug 31, 2018, 5:07:47 PM8/31/18
to CAS Community
Yup, it was just the CAS client configuration. All is well. Thanks!
Ivan Green
Aug 11, 2021, 7:08:36 AM8/11/21
to CAS Community, waldbiec
Hello!
And what to do if:
I have CAS 5.2.3 and an LDAP connection.
LDAP has 1 domain and 2 ou (ou = groups, ou = people). Each group has a cn with the group name. Each such group contains several members, where the username from ou = people is specified.
My task is to get the groups of the user when it is authenticated in order to update them.
I just can't figure out how I can use CAS to get the groups of each user out of LDAP.
пятница, 31 августа 2018 г. в 22:17:12 UTC+3, waldbiec:
Gowtham Krishna
Jan 18, 2022, 3:17:37 AM1/18/22
to CAS Community, fryc...@gmail.com, waldbiec
Did you get solution to this, even i am having the same scenario and looking for the solution to the same question?
Reply all
Reply to author
Forward
0 new messages