Stumped on attribute release in CAS 5.1

[Toby Archer]

I'm trying to figure out how to do attribute release and haven't gotten anywhere. I've read all the pages like this one: https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html and tried searching this mailing list and followed instructions like in this one: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/attribute/cas-user/VVaONIp1Ts0/Hedpv2uGAwAJ

Right now I'm using ldap for both authentication and attributes. The relevant part of my cas.properties file looks like this:

# LDAP Auth
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://usd-ldap.usd.edu
cas.authn.ldap[0].baseDn=o=usd.edu
cas.authn.ldap[0].userFilter=uid=%u
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].bindDn=cn=Directory Manager
cas.authn.ldap[0].bindCredential=password
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].dnFormat=uid=%s,ou=people
cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.ldap[0].keyStorePassword=password
cas.authn.ldap[0].name=dev-ldap7-1

cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
cas.authn.ldap[0].principalAttributeList=cn,sn,mail

cas.authn.attributeRepository.defaultAttributesToRelease=cn,sn,mail

cas.authn.attributeRepository.stub.attributes.uid=uid
cas.authn.attributeRepository.stub.attributes.displayName=displayName
cas.authn.attributeRepository.stub.attributes.cn=commonName

cas.authn.attributeRepository.ldap[0].type=AUTHENTICATED
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://usd-ldap.usd.edu
cas.authn.attributeRepository.ldap[0].baseDn=o=usd.edu
cas.authn.attributeRepository.ldap[0].userFilter=uid=%u
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].bindDn=cn=Directory Manager
cas.authn.attributeRepository.ldap[0].bindCredential=password
cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
cas.authn.attributeRepository.ldap[0].dnFormat=uid=%s,uo=people
cas.authn.attributeRepository.ldap[0].keystore=file:/etc/cas/thekeystore
cas.authn.attributeRepository.ldap[0].keyStorePassword=password
cas.authn.attributeRepository.ldap[0].name=dev-ldap7-1

cas.authn.attributeRepository.ldap[0].uid=uid
cas.authn.attributeRepository.ldap[0].displayName=displayName
cas.authn.attributeRepository.ldap[0].cn=commonName
cas.authn.attributeRepository.ldap[0].mail=mail
cas.authn.attributeRepository.ldap[0].sn=sn

There are configurations for a couple of different attempts, but regardless of what I do get back no attributes. The docs talk about the personDirectory but either don't give instructions on how to configure it or give instructions for cas 4. I'm at a bit of a loss on what to do. Any advise out there?

[Misagh Moayyed]

What do you expect to happen, and what is actually happen that you consider erroneous? How are you testing the attribute release bit? 

Not having verified every setting, your config below says: authenticate with ldap, fetch attributes from ldap and release 3 attributes to any and all applications. The first two steps can be combined unless you have good reason not to. 

--Misagh

---

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0327b4c-528a-476f-8e2e-e5ee82024744%40apereo.org.

[Ray Bon]

Toby,

You may need to adjust your service (service registry) to allow the attributes to be released.

These log settings may be useful:

        <!-- WARN DN resolution failed    - TODO investigate this

                  Requested LDAP attribute [???] ... -->

        <AsyncLogger name="org.apereo.cas.authentication.LdapAuthenticationHandler" level="debug" />

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Toby Archer]

I'm using CAS-Flask because it's quick and easy to test with. I have it printing out all attributes it recieves from CAS, it is receiving none. So I expect to recieve a list of my name, last name, and email, but get nothing. But perhaps I'm testing wrong? Do you have a suggestion on how to go about testing what I'm getting from CAS?

There is no reason to separate those first two steps. Originally I had them combined, but it wasn't working, so I separated them in an effort to try everything. No dice. The any and all applications is correct for now. I figured I could figure out how to restrict it once I established that I'm actually getting attributes to flow through. This is dev so it doesn't matter.

[Toby Archer]

That sounds like a good idea. Pardon my ignorance, but I'm not sure where to place those logger definitions. I'm using gradle to build CAS and I don't see any xml files in the build process or in the configuration files.

[Ray Bon]

In the project in etc/cas/config there is a log4j.xml.

When you say 'gradle to build CAS' do you mean the cas-gradle-overlay-template or cas proper? Use an overlay unless you are planning on developing CAS. https://github.com/apereo/

Ray

[Toby Archer]

With the addition of those loggers and a little tweeking I got some info that should be useful. Firstly:

2018-02-26 15:36:46,731 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnAllowedAttributeReleasePolicy] to process attributes for [toben.archer]>
2018-02-26 15:36:46,731 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [toben.archer]>
2018-02-26 15:36:46,732 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-02-26 15:36:46,732 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[cn, givenName, uid, affiliation, mail]]>
2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: [cn]>
2018-02-26 15:36:46,734 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: [givenName]>
2018-02-26 15:36:46,744 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: [uid]>
2018-02-26 15:36:46,744 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: [mail]>
2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{cn=[Toben Archer, Toben D Archer], givenName=Toben, mail=Toben....@usd.edu, uid=uid}]>
2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-02-26 15:36:46,746 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{cn=[Toben Archer, Toben D Archer], givenName=Toben, mail=Toben....@usd.edu, uid=uid}]>

That looks good! That looks like everything I wanted it to say. excep this part "Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [toben.archer]" seems to contradict this part "Final collection of attributes allowed are: [{cn=[Toben Archer, Toben D Archer], givenName=Toben, mail=Toben....@usd.edu, uid=uid}]". But anyway, it looks like the attributes that I should be seeing in my cas request are there, cn, givenName, and mail all look right (uid=uid is wrong, but it should at least be present).

I had some concern that maybe something was going wrong in my library, so I tweaked it to give me the raw XML output:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>toben.archer</cas:user>
        </cas:authenticationSuccess>
</cas:serviceResponse>

The attributes should be in this xml right?

[Ray Bon]

Toby,

It looks like your client is using CAS 2.0 protocol.

Attribute release can be done with SAML 1.1 and CAS 3.0 protocol.

Ray

[michael kromarek]

If you want to release attributes under CAS 2.0 protocol, here (https://kogentadono.com/2017/08/30/attribute-release-cas-5-1-x-for-cas-2-0-protocol/) is a post I wrote up a while back.

Also, attached is the file you'll need to put in your war overlay to make release work.  It should live in src/main/resources/templates/protocol/2.0

--Mike K.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519666220.1801.11.camel%40uvic.ca.

[Toby Archer]

Thanks everyone for the help. I've got attributes showing up now. It seems that it was entirely the protocol issue. It took me a little but I managed to delve into the library I was using and figure out how to get CAS 3.0 working on it.

Thanks for the tip Mike. I will keep that in mind for future reference. Depending on how some of my integrations go, it may be necessary.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.