User Attributes for SAML 2.0

1,004 views
Skip to first unread message

John D Giotta

unread,
May 15, 2018, 7:32:28 PM5/15/18
to CAS Community
How do I set up user attributes for SAML 2.0?

David Curry

unread,
May 15, 2018, 9:08:21 PM5/15/18
to cas-...@apereo.org
The same way you do for CAS services, pretty much. Just list what you want to return. If you need the uri naming, you can use the "return mapped attributes" feature; there's an example of that in my doc. Although that may or may not be necessary depending on the SP.

CAS 5.3 has some improved functionality in this area (uri names plus friendly names at the same time), but we haven't needed it in our environment (YMMV).

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   


On Tue, May 15, 2018, 19:32 John D Giotta <jdgi...@gmail.com> wrote:
How do I set up user attributes for SAML 2.0?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a7ec4d7-6a6f-41cf-be7d-86cb08ea9e70%40apereo.org.

John D Giotta

unread,
May 16, 2018, 9:07:39 AM5/16/18
to CAS Community
Do you have an example of this?

David Curry

unread,
May 16, 2018, 10:49:10 AM5/16/18
to cas-...@apereo.org


Here's a JSON definition for an Apache HTTPD with the Shibboleth mod_shib/shibd plug-in:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "name" : "Apache Secured By SAML",
  "id" : 1509030300,
  "description" : "CAS development Apache mod_shib/shibd server with username/password protection",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "cn" : "urn:oid:2.5.4.3",
      "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
      "givenName" : "urn:oid:2.5.4.42",
      "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
      "role" : "urn:newschool:attribute-def:role",
      "sn" : "urn:oid:2.5.4.4",
      "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
      "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
    }
  },
  "evaluationOrder" : 1125
}

But if your SP doesn't care about the funky notation, you can just do it the "regular" way... here's a definition for a test SP created via RSA's free IAMShowcase site (this is a cut-down copy of the entire registry entry to show the part you're interested in):

{
    "serviceId": "IAMShowcase",
    "name": "RSA SAML Test Service Provider",
    "theme": null,
    "informationUrl": null,
    "privacyUrl": null,
    "id": 1202469081,
    "description": "The URL for the SP that talks to this service is https://sptest.iamshowcase.com/ixs?idp=<snip>",
    "evaluationOrder": -1,
    "attributeReleasePolicy": {
        "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
        "allowedAttributes": [
            "displayName",
            "givenName",
            "sn",
            "uid"
        ]
    }
}


--Dave





--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


On Wed, May 16, 2018 at 9:07 AM, John D Giotta <jdgi...@gmail.com> wrote:
Do you have an example of this?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org.

John D Giotta

unread,
May 16, 2018, 11:56:45 AM5/16/18
to CAS Community
Would this example you provided be applicable to a jdbc backend?

David Curry

unread,
May 16, 2018, 12:08:04 PM5/16/18
to cas-...@apereo.org
I'm not sure I understand the question. If you mean could you copy the example I provided directly into a jdbc/jpa service registry, then I have to say I don't know, because I don't know how the information is stored in the database.

The first example I gave (the Apache one) is a json file from a json service registry, so if you know how to "import" from a json service registry to your database-backed one, then yeah, I guess you could do that.

The second example I gave is incomplete; I went to my CAS dashboard and clicked on the "Registered Services" button, which dumped the entire registry as JSON, and then I copied that particular entry into the email, and deleted lots of irrelevant bits. So I would not recommend directly using that for anything.

If you're to the point of adding "real" services instead of just a couple of test entities, I suggest you get the management webapp working, and then use that to manage your services. It's MUCH easier, as it takes care of all the complexities; you just point-n-click, for the most part.

That's probably a longer answer than you were looking for. :-)

--Dave


--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


On Wed, May 16, 2018 at 11:56 AM, John D Giotta <jdgi...@gmail.com> wrote:
Would this example you provided be applicable to a jdbc backend?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

John D Giotta

unread,
May 16, 2018, 1:02:48 PM5/16/18
to CAS Community
I've had very little success making the management service work (like other things).
I try to follow the documentation, but something is always amiss. 

My personal problem is that I'm very much a TDD developer. I have issues not being able to effectively test what I'm doing. 

John D Giotta

unread,
May 21, 2018, 10:46:12 AM5/21/18
to CAS Community
David,

I'm still trying to understand how user attributes are supposed to work. Let's say I'm using JDBC as my source for user data and credentials. If I'm writing the JSON service to map datasource fields to SAML attributes, how is this done? Is it naming convention? Do I need to include a custom mapping Java class?

David Curry

unread,
May 21, 2018, 11:31:04 AM5/21/18
to cas-...@apereo.org
Someone smarter than me may need to weigh in on this... but I'll try.

As I understand it, SAML SPs will accept two forms of attribute names. One form is that "urn" notation that Shibboleth seems to like:

<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>

The other form is the "friendly name," which is basically just a string, like "cn" or "uid" or "givenName" or whatever. If you're using LDAP (or AD) as your directory, then it's likely (although not required) that your friendly names will just be your LDAP attribute names. I haven't used a JDBC attribute repository with CAS 5, so I'm not sure what your attribute names are there, but I'm guessing they're similar.

Anyway, CAS 5 lets you define your attributes, and the names you'd like to return them under, in cas.properties. So, for LDAP, I have:

cas.authn.attributeRepository.ldap[0].attributes.cn:            uid
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName:     givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:          mail
cas.authn.attributeRepository.ldap[0].attributes.memberOf:      memberOf
cas.authn.attributeRepository.ldap[0].attributes.sn:            sn
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber:   cn

This says that, when I release these attributes to an application, it will see:
  1. Attributes called displayName, givenName, mail, memberOf, and sn with the values of the LDAP attributes of the same name
  2. An attribute called uid that contains the value of the LDAP cn attribute (i.e., I "rename" the attribute when I release it to the application)
  3. An attribute called cn that contains the value of the LDAP tnsIDNumber attribute
You can do the same thing with JDBC (according to the documentation anyway; I don't have a JDBC source to try it against):

cas.authn.attributeRepository.jdbc[0].attributes.uid:           uid
cas.authn.attributeRepository.jdbc[0].attributes.last_name:     sn
cas.authn.attributeRepository.jdbc[0].attributes.first_name:    givenName

and so on.

So....in the simple case, where your SAML SP (the client app) will accept "friendly" names, you can just return the attributes in exactly the same way as you do for a CAS service. But, in the other case, where your SAML SP wants the "urn" names, you'll need to convert whatever names you've configured in cas.properties to the other notation. You can do this by using a ReturnMappedAttributeReleasePolicy in the service definition:

"attributeReleasePolicy" : {
  "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
  "allowedAttributes" : {
    "@class" : "java.util.TreeMap",
    "cn" : "urn:oid:2.5.4.3",
    "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
    "givenName" : "urn:oid:2.5.4.42",
    "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
    "role" : "urn:newschool:attribute-def:role",
    "sn" : "urn:oid:2.5.4.4",
    "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
    "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
  }

Determining WHAT the "urn"  values should be is the hardest part. In the case of the Shibboleth SP (Apache mod_shib), they're defined in /etc/shibboleth/attribute-resolver.xml.

Note: CAS 5.3, I believe, has added support for returning both the "urn" and friendly names in the SAML response instead of either/or. I haven't tried this, but recall seeing it in one of the changelogs...

You might find it helpful to set up a test SAML SP on the RSA IAM Showcase (https://sptest.iamshowcase.com/). It's free, and dead simple to do (download their metadata, upload your metadata, create a service registry entry, done). When you log into their SP, it will display all the attributes and other SAML data that it got back.

Hope this helps,
--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


On Mon, May 21, 2018 at 10:46 AM John D Giotta <jdgi...@gmail.com> wrote:
David,

I'm still trying to understand how user attributes are supposed to work. Let's say I'm using JDBC as my source for user data and credentials. If I'm writing the JSON service to map datasource fields to SAML attributes, how is this done? Is it naming convention? Do I need to include a custom mapping Java class?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6131e17-50cc-422f-b9e7-aa33b58b00a9%40apereo.org.

John D Giotta

unread,
May 21, 2018, 4:22:08 PM5/21/18
to CAS Community
The error I see on the CAS server is the following:

2018-05-21 20:15:07,348 INFO [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController] - <Received SAML callback profile request [/cas/idp/profile/SAML2/Callback.+]>
2018-05-21 20:15:07,656 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] that is based off of [email] in the allowed attributes list. Ensure the original attribute [email] is retrieved and contains at least a single value. Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] will and can not be released without the presence of a value.>
2018-05-21 20:15:07,664 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] that is based off of [givenName] in the allowed attributes list. Ensure the original attribute [givenName] is retrieved and contains at least a single value. Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] will and can not be released without the presence of a value.>
2018-05-21 20:15:07,670 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname] that is based off of [surname] in the allowed attributes list. Ensure the original attribute [surname] is retrieved and contains at least a single value. Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname] will and can not be released without the presence of a value.>

Any ideas?

David Curry

unread,
May 21, 2018, 4:26:25 PM5/21/18
to cas-...@apereo.org
Can you attach the relevant section of cas.properties (the part where you define which attributes you're going to resolve) and the service definition for the SAML SP?

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

John D Giotta

unread,
May 21, 2018, 4:28:27 PM5/21/18
to CAS Community
cas.authn.accept.users=

cas
.authn.jdbc.query[0].ddlAuto=none
cas
.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas
.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas
.authn.jdbc.query[0].fieldPassword=password
cas
.authn.jdbc.query[0].password=
cas
.authn.jdbc.query[0].passwordEncoder.characterEncoding=
cas
.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=
cas
.authn.jdbc.query[0].passwordEncoder.secret=
cas
.authn.jdbc.query[0].passwordEncoder.strength=10
cas
.authn.jdbc.query[0].passwordEncoder.type=BCRYPT
cas
.authn.jdbc.query[0].sql=SELECT * FROM app_user WHERE email=? AND enabled = 1
cas
.authn.jdbc.query[0].user=u

# User Attribute Settings
cas
.authn.attributeRepository.jdbc[0].dialect=org.hibernate.dialect.MySQLDialect
cas
.authn.attributeRepository.jdbc[0].driverClass=com.mysql.cj.jdbc.Driver
cas
.authn.attributeRepository.jdbc[0].user=u
cas
.authn.attributeRepository.jdbc[0].password=
cas
.authn.attributeRepository.jdbc[0].singleRow=true
cas
.authn.attributeRepository.jdbc[0].sql=SELECT id, first_name, last_name, email FROM app_user WHERE {0}

cas
.authn.attributeRepository.jdbc[0].attributes.uid=id
cas
.authn.attributeRepository.jdbc[0].attributes.givenName=first_name
cas
.authn.attributeRepository.jdbc[0].attributes.emailaddress=email
cas
.authn.attributeRepository.jdbc[0].attributes.surname=last_name

David Curry

unread,
May 21, 2018, 4:34:17 PM5/21/18
to cas-...@apereo.org
Based on the SELECT, I think these definitions are flipped:

cas.authn.attributeRepository.jdbc[0].attributes.uid=id
cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name
cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email
cas.authn.attributeRepository.jdbc[0].attributes.surname=last_name

The format is  "attribute-name-in-my-repository = what-i-want-to-call-it-when-its-released" , so you want

cas.authn.attributeRepository.jdbc[0].attributes.id=uid
cas.authn.attributeRepository.jdbc[0].attributes.first_name=givenName
cas.authn.attributeRepository.jdbc[0].attributes.email=emailaddress
cas.authn.attributeRepository.jdbc[0].attributes.last_name=surname

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

John D Giotta

unread,
May 21, 2018, 4:58:17 PM5/21/18
to CAS Community
Same error. Do you think that maybe my select statement is wrong? Specifically the `WHERE {0}` That just seems wrong to me. What is {0}?

David Curry

unread,
May 21, 2018, 5:19:01 PM5/21/18
to cas-...@apereo.org
Could be, but as I don't use the jdbc stuff, I can't help you with that. The {0} gets replaced with some dynamic value generated by the Java code. My guess would be it's some condition like column=value, but that's pretty a guess.

I would suggest if you haven't yet to see the CAS log level to debug and the jdbc library to level to debug and see if that helps you?




David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

On Mon, May 21, 2018, 16:58 John D Giotta <jdgi...@gmail.com> wrote:
Same error. Do you think that maybe my select statement is wrong? Specifically the `WHERE {0}` That just seems wrong to me. What is {0}?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

John D Giotta

unread,
May 21, 2018, 10:26:41 PM5/21/18
to CAS Community
Is there any way to show the sql used to get user attributes?

David Curry

unread,
May 22, 2018, 10:04:28 AM5/22/18
to cas-...@apereo.org
I'm pretty sure that if you enable debug-level logging on org.apereo.services.persondir in /etc/cas/config/log4j2.xml, you'll see the SQL query in cas.log. You can do that most easily by changing this line near the top of the file:

<Property name="cas.log.level" >warn</Property>

to:

<Property name="cas.log.level" >debug</Property>

You shouldn't even need to restart the server, just wait 5-10 seconds for it to re-check the logging config file.

But you sparked my curiosity (not the least because I actually did figure this out once a long time ago for CAS 3.5), so I dug around a bit. The documentation for the SingleRowJdbcPersonAttributeDao (which is what you're ultimately configuring) is here:  https://wiki.jasig.org/display/PDM15/JDBC+Attribute+Source.

According to that, the attributes are going to be fetched with a SQL query like SELECT * FROM USER_DATA WHERE {0} and, by default, the {0} is going to be replaced with username=value (where value is the name of the user you're looking for). If the column in your database that contains the username is called something other than username, you can change that with a queryAttributeMapping definition:

    <constructor-arg index="1" value="SELECT * FROM USER_DATA WHERE {0}" />
    <property name="queryAttributeMapping">
        <map>
            <entry key="username" value="uid" />
        </map>
    </property>

(The above will change the {0} from username=value to uid=value.)

So, reading the CAS documentation here: https://apereo.github.io/cas/development/installation/Configuration-Properties.html#jdbc it looks to me like you need this setting:

cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM app_user WHERE {0}

(I know your current setting lists the columns you want, but I would suggest starting with this until it works, and then tweak it down if you really need to.) And, since your app_user table, as near as I can guess, doesn't have a column named username, you need to set the column you want to use (this is the equivalent of the queryAttributeMapping XML above):

cas.authn.attributeRepository.jdbc[0].username=id

I might be wrong about the setting above; you might want email in there instead of id, since that's what your authentication query is using (the value it's matching against is, I believe, whatever the user is typing in as his/her username). 

The other part of the SingleRowJdbcPersonAttributeDao discussed in the documentation is the part that maps database column names (the keys) to attribute names (the values):

    <property name="resultAttributeMapping">
        <map>
            <entry key="uid" value="username" />
            <entry key="first_name" value="first_name" />
            <entry key="last_name" value="last_name" />
            <entry key="email" value="email" />
        </map>
    </property>

That's covered by the other properties we talked about yesterday:

cas.authn.attributeRepository.jdbc[0].attributes.id=uid
cas.authn.attributeRepository.jdbc[0].attributes.first_name=givenName
cas.authn.attributeRepository.jdbc[0].attributes.email=emailaddress
cas.authn.attributeRepository.jdbc[0].attributes.last_name=surname

The database column names are on the left-hand side of the '=', and the attribute names (what the client application gets) are on the right-hand side.

Please note that the above is from my reading the documentation only (well, and getting it working once several years ago on CAS 3.5). I don't have a CAS-with-JDBC instance configured to try it out on. But hopefully it points you in the right direction, at least.

Good luck,
--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School



On Mon, May 21, 2018 at 10:26 PM John D Giotta <jdgi...@gmail.com> wrote:
Is there any way to show the sql used to get user attributes?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

John D Giotta

unread,
May 22, 2018, 1:18:24 PM5/22/18
to CAS Community
My "username" column is called email, but even with your suggestions I still get the following DEBUG output in logs.

Found [0] attributes for principal [jdgiotta@gmail.com] from the attribute repository.

This is why I think there something wrong with the query. Log level is set to debug, but I still don't see queries. I even set debug to org.springframework.orm.jpa for good measure.

Ray Bon

unread,
May 22, 2018, 1:33:03 PM5/22/18
to cas-...@apereo.org
John,

You may be able to set 'show_sql' for hibernate. CAS properties has 'Hibernate-specific properties' but I have not used this.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

David Curry

unread,
May 22, 2018, 1:36:11 PM5/22/18
to cas-...@apereo.org
So, you have

cas.authn.attributeRepository.jdbc[0].username=email

in cas.properties? I didn't see it in the ones you copied/pasted earlier.

Dumb question, but if you connect to the database using the same user and password that you have CAS configured to use, and you run

SELECT * FROM app_user WHERE email=jdgi...@gmail.com

do you get your attributes?

And...assuming you own the database, can you enable query logging on that end? Or make the JDBC library log what it's doing?


--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

John D Giotta

unread,
May 24, 2018, 2:18:16 PM5/24/18
to CAS Community
That got it! Thank you so much, David!

sai ram

unread,
May 28, 2018, 7:44:28 AM5/28/18
to cas-...@apereo.org, david...@newschool.edu
Presently, we are using CAS as an Identity Provider but now we want to use SAML2.0 as an Identity provider instead of CAS server. As I'm new to CAS, can anyone help me out the steps that I need to follow? and I have some queries like, Do we need to configure the SAML Request & Response externally?
Hw can we register the Identity provider with the Service Provider & vice versa?
For suppose, if I use LDAP as users directory. Hw & with whom( IDP/SP ) I need to register LDAP?



Thanks & Regards,
A SAIRAM

David Curry

unread,
May 28, 2018, 1:45:23 PM5/28/18
to aagirus...@gmail.com, cas-...@apereo.org
You should probably start by reading the CAS SAML documentation:


And then you can look at, for example, the instructions here:


for a step-by-step example of how to enable SAML IdP support on the CAS server, and build a simple test client (SP).

Note that both of the above assume that you already understand the basics of how SAML authentication works. Not the protocol details, but at least who talks to whom, and which provider performs which functions. 

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


Willian Gonzales

unread,
Nov 16, 2018, 10:08:12 AM11/16/18
to CAS Community
Hi David!

i'm praying that you see my question now because i really need your help.
I want to thank you because you really helped me showing the .json configurattion.
But i need some help on this.

How do i manage to do a multi value attribute on json.
I need the SAML response to be like this

<Attribute Name="attribute"> <AttributeValue>1</AttributeValue> <AttributeValue>2</AttributeValue> <AttributeValue>3</AttributeValue> </Attribute>

Can you help me on this man?

Regards
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

David Curry

unread,
Nov 16, 2018, 10:26:22 AM11/16/18
to cas-...@apereo.org
Since I'm the only "David" I see in this thread I assume you're asking me... but I'm not sure I understand the question. Where are you putting the JSON that you're expecting CAS to consume it and then spit it out in a SAML response?

Normally, CAS will get the attributes from whatever repositories you configure it to use, and take care of putting them into the response itself; you don't have to specify any JSON. As far as I know, multi-valued attributes should work just fine with that.

The JSON I provided back earlier in this thread was in a service registry definition to show how to rename attributes, not provide their values.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL  INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

Willian Gonzales

unread,
Nov 16, 2018, 11:01:20 AM11/16/18
to CAS Community
David,

I'm using Json Service Registry.
You're telling me that the responsible for multi-value attributes is not the service registry but the repository 'im using? (In my case Active Directory).

So, let me show you the example i'm using.

I need to map a multi-value attribute for the attribute "https://aws.amazon.com/SAML/Attributes/Role"

Here an example of my JSON.

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "urn:amazon:webservices",
  "name" : "AWS",
  "id" : 10000003,
  "description" : "CAS AWS",
  "signAssertions" : true,
  "signResponses" : true,
  "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "extensionAttribute1" : "https://aws.amazon.com/SAML/Attributes/Role",
      "extensionAttribute2" : "https://aws.amazon.com/SAML/Attributes/RoleSessionName",
      "extensionAttribute3" : "SessionDuration"
    }
  },
  "evaluationOrder" : 1125
}


What i need is to use the values of "description" and "extensionAttribute1" in the same attribute, in this case "https://aws.amazon.com/SAML/Attributes/Role"

I've try to use the attribute Repository but still returns only one value

Here's my .prop file:

cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=wil...@shoracius.com.br
cas.authn.ldap[0].bindCredential=Teste@123
cas.authn.ldap[0].dnFormat=%s...@shoracius.com.br
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=unicodePwd
cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
cas.authn.ldap[0].failFast=false
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.attributeRepository.ldap[0].bindDn=wil...@shoracius.com.br
cas.authn.attributeRepository.ldap[0].bindCredential=********
cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].name=AD
cas.authn.attributeRepository.expirationTime=30
cas.authn.attributeRepository.expirationTimeUnit=MINUTES
cas.authn.attributeRepository.maximumCacheSize=10000
cas.authn.attributeRepository.merger=MERGE
cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
# cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
# cas.authn.attributeRepository.ldap[0].attributes.cn=commonName 

Can you help me on this quest.?

I'm from Brazil, so i'm sorry for my English or anything.

Thanks in advice and i've appreciate your help.

David Curry

unread,
Nov 16, 2018, 11:39:26 AM11/16/18
to cas-...@apereo.org
The "ReturnMappedAttributeReleasePolicy" is not a method for returning attribute values, it's a method for changing the name of an attribute when you release it.

For example, suppose you have an application that wants you to give it an attribute called "LastName". But your Active Directory, of course, keeps the last name in an attribute called "sn". So, in the service registry for that service, you would specify something like this:

...
 "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sn" : "LastName",
      "givenName" : "givenName",
      "cn" : "cn",
    }
  },
...  

This says you're going to get the values of the cn, givenName, and sn values from your attribute repository (Active Directory or whatever), and send them over to the client. BUT, when you do that, you're going to call them cn, givenName, and LastName instead. So for me, the client might get something like:

cn=curryd, givenName=David, LastName=Curry

(in whatever format the protocol it's speaking with the CAS server provides that information).

So what you're specifying there, is that you're going to send four attributes back to AWS: description, extenstionAttribute1, extensionAttribute2, and extensionAttribute3. But when you send them back, you're going to call them by those 3 URLs and "SessionDuration". So AWS is going to get something like:


(again, in whatever format the protocol CAS is speaking with AWS specifies) which, I presume, is not what you want. :-)

I believe there is a way to release the same attribute value with more than one name, but I don't use it myself, so I don't know the details of what version that functionality was added in, or how it's actually configured.


--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL  INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu


Willian Gonzales

unread,
Nov 16, 2018, 12:10:47 PM11/16/18
to CAS Community
David,

What i want is to log in into multiple AWS Accounts using SAML2. I've managed to log into only one account. But to log in into multiple accounts you have to send the response like this:

<AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue> </Attribute>

Right now i'm sending only one value in the attributevalue like this 

<AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue> </Attribute>

I need to send multiple values so i can choose what account i want to log in. You said that there's a way to return a multi-value attribute,  can you show me how to return multi-value attribute?

Thank You!



cas.authn.ldap[0].bindDn=willia...@shoracius.com.br

David Curry

unread,
Nov 16, 2018, 2:57:40 PM11/16/18
to cas-...@apereo.org
Well, I also said we don't do that here, so I don't actually know how to do it, just that I think you can. :-)

But seriously, I believe it depends on what you're using for an attribute repository. And I'm not sure whether it's going to give you what you want:

<AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue> </Attribute>

or if it's going to give you something more like

<AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue>
</Attribute>

You might have to write a custom resolver or something (I'm not the one to help you with that).

Maybe someone else could weigh in here and give William some better information?

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL  INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu


cas.authn.ldap[0].bindDn=wil...@shoracius.com.br

Willian Gonzales

unread,
Nov 17, 2018, 11:43:54 AM11/17/18
to CAS Community
David,

I really want to thank for helping me on this.
I've finally managed to retrieve a multiple value attribute, just like you've said the responsible to release attributes for CAS is the Authentication Handler. In my case Active Directory. So, what i've done was create a custom attribute "awsRoles" on Active Directory that supports multiple values. Then i configured CAS to release the attribute and used my json like this:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "urn:amazon:webservices",
  "name" : "AWS",
  "id" : 10000003,
  "description" : "SSO AWS",
  "signAssertions" : true,
  "signResponses" : true,
  "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "extensionAttribute2" : "https://aws.amazon.com/SAML/Attributes/RoleSessionName",
      "extensionAttribute3": "SessionDuration"
    }
  },
  "evaluationOrder" : 1125
}

Here is my SAML Response after auth.

<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role" Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
                <saml2:AttributeValue>arn:aws:iam::account-id:role/role-name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
                <saml2:AttributeValue>arn:aws:iam::account-id:role/role_name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
            </saml2:Attribute>

I'm sorry to bother you on this but thanks for you for help showing me the way.

Have a nice weekend

Willian
cas.authn.ldap[0].bindDn=willia...@shoracius.com.br
<span s
Reply all
Reply to author
Forward
0 new messages