CAS 2.0 attribute return?
51 views
Skip to first unread message
Richard Frovarp
Oct 12, 2016, 12:22:17 PM10/12/16
to CAS Users
There was a sort of extension to the CAS 2.0 protocol that allowed for
attribute return. Is that even possible in the upcoming 5.x line? I
can't see anything in the docs for the 4.x line, so I'm guessing not. I
think we have some old services that were doing CAS 2.0 with attribute
return. They certainly were all external vendors.
Thanks,
Richard
attribute return. Is that even possible in the upcoming 5.x line? I
can't see anything in the docs for the 4.x line, so I'm guessing not. I
think we have some old services that were doing CAS 2.0 with attribute
return. They certainly were all external vendors.
Thanks,
Richard
Richard Frovarp
Oct 14, 2016, 2:16:05 PM10/14/16
to CAS Users
On 10/14/2016 12:15 PM, Baron Fujimoto wrote:
> The /cas/samlValidate endpoint has returned attributes via SAML for a
> long time in CAS. It's still present in 5.x.
>
> <https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#samlvalidate-cas-30>
>
> I haven't tried it yet, but /p3/serviceValidate should also return
> attributes via XML or JSON.
>
> <https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#p3servicevalidate-cas-30>
>
> -baron
Yeah, most of our stuff does SAML 1.1. I know some vendors were
specifically doing CAS 2.0, and expecting attribute return. You used to
be able to hack something into the xslt to have it put the attributes
there in an extension that some of the CAS clients understood.
I did see that CAS 3.0 supports attributes. It might just come down to
pointing them at that validator. It also might come down to having them
upgrade. The unfortunate part is that the list of vendors needing this
has been lost to time. I should be able to look at the logs and see who
is hitting the CAS validation endpoint over the SAML one, and go from
there.
I'm guessing that since there is an officially supported version of the
protocol that does attribute return, the "easy" hack of adding it in is
no longer easy.
> long time in CAS. It's still present in 5.x.
>
> <https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#samlvalidate-cas-30>
>
> I haven't tried it yet, but /p3/serviceValidate should also return
> attributes via XML or JSON.
>
> <https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#p3servicevalidate-cas-30>
>
> -baron
Yeah, most of our stuff does SAML 1.1. I know some vendors were
specifically doing CAS 2.0, and expecting attribute return. You used to
be able to hack something into the xslt to have it put the attributes
there in an extension that some of the CAS clients understood.
I did see that CAS 3.0 supports attributes. It might just come down to
pointing them at that validator. It also might come down to having them
upgrade. The unfortunate part is that the list of vendors needing this
has been lost to time. I should be able to look at the logs and see who
is hitting the CAS validation endpoint over the SAML one, and go from
there.
I'm guessing that since there is an officially supported version of the
protocol that does attribute return, the "easy" hack of adding it in is
no longer easy.
Misagh Moayyed
Oct 14, 2016, 2:45:27 PM10/14/16
to CAS Users
I'm guessing that since there is an officially supported version of the
protocol that does attribute return, the "easy" hack of adding it in is
no longer easy.
No. You just make this file [1] look like this file [2], and you’re done. (v4.2.x)
Or you force traffic to go to p3/ and you wouldn’t have to change anything.
A rather herculean yet more “reasonable” thing to do is to get your vendors to upgrade.
Reply all
Reply to author
Forward
0 new messages