I am attempting to utilize the attribute definitions feature, and I have hit a wall.
Reference used:
https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html
Implemented in my cas.properties:
cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json
With the contents of /etc/cas/config/attributes.json:
{
"@class" : "java.util.TreeMap",
"testName" : {
"@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "testName",
"name" : "testName",
"scoped" : true,
"attribute" : "uid"
}
}
I have turned on the following debug in log4j2.xml:
<AsyncLogger name="org.apereo" level="debug” includeLocation="true"/>
When I start up the CAS server there does not seem to be anything related to the attribute definitions present. Hitting up the discovery profile actuator does not list the defined attributes in the “availableAttributes”. There is no logging in relation to the attribute definitions configuration.
I am aware that we could do custom attributes via return mapped and groovy inline scripting, but we want something more broadly available to all services instead of per service entry custom attributes.
Does anyone have any guidance/ideas on how to get attribute definition feature up and running?
Already able to release attributes from authentication source (LDAP). These attribute definitions are an attempt to add scope to attributes from that authentication source.
For example using uid from LDAP to define an eduPersonPrincipalName:
{
@class: java.util.TreeMap
eduPersonPrincipalName: {
@class: org.apereo.cas.authentication.attribute.DefaultAttributeDefinition
key: eduPersonPrincipalName
name: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
friendlyName: eduPersonPrincipalName
scoped: true
attribute: uid
}
My understanding is that this should take the attribute “uid”, from the person directory, and append the value of cas.server.scope as a domain scope.
uid = user1
cas.server.scope= example.org
Which results in:
eduPersonPrincipalName=us...@example.org
My experience is that defining “cas.person-directory.attribute-definition-store.json.location” in the cas.properties file has no effect and that enabling debugging in CAS does not identify any errors, or any indicators at all, that this feature is working.
I’m assuming that I’m lacking some configuration or that my understanding of how this should work is incorrect.
Follow up, for anyone running into this situation. One of the problems was a lack of understanding, and the other was a “maybe” configuration error.
Turns out the attribute definitions were working, but they do not show up in availableAttributes as output by the cas/actuator/discoveryProfile endpoint. Therefore, they were “invisible” to the cas-management app. Might be an idea for PR/feature request.
To get the attribute definitions working, under 6.3.X, I ended using the following method. Use a mapped attribute release policy and reference the friendlyName defined in the attribute definition.
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
@class: java.util.TreeMap
eduPersonPrincipalName:
[
java.util.ArrayList
[
eduPersonPrincipalName
]
]
}
}
Would also probably work in ReturnAllowedAttributeReleasePolicy, ReturnAllAttributeReleasePolicy. Just have not tested.
I should mention, in case it is specific to SAML registered services, I switched the attribute definition to the SamlIdpAttributeDefinition class. This extends DefaultAttributeDefinition to add two optional attributes urn and friendlyName. Originally, I was using friendlyName under DeafultAttributeDefinition which may have been the configuration error.
New /cas/etc/config/attribute.json:
{
@class : java.util.TreeMap
eduPersonPrincipalName : {
@class : org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition
key : eduPersonPrincipalName
name : eduPersonPrincipalName
urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.6
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c134b38126724e42b83c155f7e2236d0%40mun.ca.