Attribute Definitions in 6.3.x?

230 views
Skip to first unread message

King, Robert

unread,
Feb 2, 2022, 10:08:21 AM2/2/22
to cas-...@apereo.org

I am attempting to utilize the attribute definitions feature, and I have hit a wall.

 

Reference used:

 

https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html

 

Implemented in my cas.properties:

 

cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

 

With the contents of /etc/cas/config/attributes.json:

 

{

    "@class" : "java.util.TreeMap",

    "testName" : {

      "@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",

      "key" : "testName",

      "name" : "testName",

      "scoped" : true,

      "attribute" : "uid"

    }

}

 

I have turned on the following debug in log4j2.xml:

 

<AsyncLogger name="org.apereo" level="debug” includeLocation="true"/>

 

 

When I start up the CAS server there does not seem to be anything related to the attribute definitions present.  Hitting up the discovery profile actuator does not list the defined attributes in the “availableAttributes”.  There is no logging in relation to the attribute definitions configuration.

 

I am aware that we could do custom attributes via return mapped and groovy inline scripting, but we want something more broadly available to all services instead of per service entry custom attributes.

 

Does anyone have any guidance/ideas on how to get attribute definition feature up and running?

Pablo Vidaurri

unread,
Feb 2, 2022, 3:00:22 PM2/2/22
to CAS Community, ro...@mun.ca
Have you tried this in your cas.properties:

cas.authn.attributeRepository.core.defaultAttributesToRelease=foo,bar,mail,name

the values you provide are comma delimited attributes from you sources such as ldap, active directory, db, static.

King, Robert

unread,
Feb 2, 2022, 3:22:44 PM2/2/22
to Pablo Vidaurri, CAS Community

Already able to release attributes from authentication source (LDAP).  These attribute definitions are an attempt to add scope to attributes from that authentication source.

 

For example using uid from LDAP to define an eduPersonPrincipalName:

 

{

  @class: java.util.TreeMap

  eduPersonPrincipalName: {

    @class: org.apereo.cas.authentication.attribute.DefaultAttributeDefinition

    key: eduPersonPrincipalName

    name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.6

    friendlyName: eduPersonPrincipalName

    scoped: true

    attribute: uid

}

 

My understanding is that this should take the attribute “uid”, from the person directory, and append the value of cas.server.scope as a domain scope.

 

uid =  user1

cas.server.scope= example.org

 

Which results in:

 

eduPersonPrincipalName=us...@example.org

 

My experience is that defining “cas.person-directory.attribute-definition-store.json.location” in the cas.properties file has no effect and that enabling debugging in CAS does not identify any errors, or any indicators at all, that this feature is working.

 

I’m assuming that I’m lacking some configuration or that my understanding of how this should work is incorrect.

King, Robert

unread,
Feb 7, 2022, 10:03:43 AM2/7/22
to cas-...@apereo.org

Follow up, for anyone running into this situation.  One of the problems was a lack of understanding, and the other was a “maybe” configuration error.

 

Turns out the attribute definitions were working, but they do not show up in availableAttributes as output by the cas/actuator/discoveryProfile endpoint.  Therefore, they were “invisible” to the cas-management app.  Might be an idea for PR/feature request.

 

To get the attribute definitions working, under 6.3.X, I ended using the following method.  Use a mapped attribute release policy and reference the friendlyName defined in the attribute definition.

 

  attributeReleasePolicy:

  {

    @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy

    allowedAttributes:

    {

      @class: java.util.TreeMap

      eduPersonPrincipalName:

      [

        java.util.ArrayList

        [

          eduPersonPrincipalName

        ]

      ]

    }

  }

 

Would also probably work in ReturnAllowedAttributeReleasePolicy, ReturnAllAttributeReleasePolicy.  Just have not tested.

 

I should mention, in case it is specific to SAML registered services, I switched the attribute definition to the SamlIdpAttributeDefinition class.  This extends DefaultAttributeDefinition to add two optional attributes urn and friendlyName.  Originally, I was using friendlyName under DeafultAttributeDefinition which may have been the configuration error.

 

New /cas/etc/config/attribute.json:

 

{

    @class : java.util.TreeMap

    eduPersonPrincipalName : {

      @class : org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition

      key : eduPersonPrincipalName

      name : eduPersonPrincipalName

      urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.6

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c134b38126724e42b83c155f7e2236d0%40mun.ca.

Reply all
Reply to author
Forward
0 new messages