CAS 6.4 - Attribute release does'nt work

[Jérémie Pilette]

Hi,

I would like to use Attribute release for one application (Yparéo).

I was usin CAS 5.1, and it was operationnal.

Now with the new version 6.4, it does'nt work.

I am using json file configuration :

******************************************************************
{
    "@class" : "org.apereo.cas.services.RegexRegisteredService",
    "serviceId" : "^(https|http)://URL/cas.*",
    "name" : "netYpareo",
    "id" : 10000005,
    "description" : "NetYparéo",
    "evaluationOrder" : 3,
    "accessStrategy" :
        {
            "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
            "enabled" : "true",
            "ssoEnabled" : "true",
            "requireAllAttributes": "true",
            "caseInsensitive": "false"
        },
    "attributeReleasePolicy" :
        {
            "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
            "allowedAttributes" :
                {
                    "@class" : "java.util.TreeMap",
                    "id_attribute" : "codeNYP"
                }
        },
    "authorizedToReleaseCredentialPassword" : "false",
    "authorizedToReleaseProxyGrantingTicket" : "false",
    "excludeDefaultAttributes" : "false",
    "principalIdAttribute" : "login_attribute"
}
******************************************************************

In my cas.properties :

cas.authn.authentication-attribute-release-enabled=true

cas.authn.ldap[0].principal-attribute-list=id_attribute

Maybe I forget something  ?

One other question : How could we know which protocol is used to do that ?

The application accept CASv3, so I want to use CASv3, not SAML or other ....

Thank you

[Ray Bon]

Jérémie,

Try this logger to see what cas is doing with the attributes:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

The client application must be configured to call the CASv3 endpoint.

Ray

On Thu, 2021-03-25 at 01:56 -0700, Jérémie Pilette wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Jérémie Pilette]

Thank you for your response Ray Bon, but where I have to do that ?

Should I uncomment these lines in a file or add these lines in a specific file ?

Thank you.

[Ray Bon]

Jérémie,

The cas logger bit can be added to etc/cas/config/log4j2.xml).

Ray

[Jérémie Pilette]

Yes I have this file. I try to do with it ok.

And in my /var.lib/tomcat9/Cataline.out, I have this line :

[2021-03-25 18:02:39] [info] #033[33m2021-03-25 18:02:39,848 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [codeNYP] that is based off of [id_attribute] in the allowed attributes list. Ensure the original attribute [id_attribute] is retrieved and contains at least a single value. Attribute [codeNYP] will and can not be released without the presence of a value.>#033[m

[Ray Bon]

Jérémie,

Check ldap to be sure an attribute and value exist for id_attribute for your user. You could also check your ldap logs to see why the value is not released.

If cas is having difficulties connecting to ldap, you can set, 

        <Property name="ldap.log.level">debug</Property>

which is at the top of the log4j2.xml file.

Ray

[Jérémie Pilette]

The attribute and the value are good in the LDAP.

By watching the ldap.log.level=debug, I do not see something strange.. I can see all the values with their attributes, no error messages...

[Jérémie Pilette]

I have seen this discussion

https://groups.google.com/a/apereo.org/g/cas-user/c/uyZOUwGigQA

Maybe I have the same problem...

It is about Cache.

How can I clean the CAS cache ?

Thank you

[Jérôme Rautureau]

Hi Jérémy 

Is the passwordPolicy is enabled ?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f0401584-5fa0-44b2-b400-829704856ccbn%40apereo.org.

[Jérémie Pilette]

I htink so.

Where can we see it ?

[Andy Ng]

Hi Jérémie,

I saw that you are using CAS 6.4, which is still in RC. Have you try it in CAS 6.3.2? Or even 6.2.x?

Even though 6.4.x is in RC, sometime bug do occurs and using slightly older version might help identify your issue.

Anyway, It is not so certain what the issue is, below are some suggestion, see if implementing them would help or not:

Q: How can I clean the CAS cache ?

You can do this by disable CAS attribtue cache so to verify if cache is the issue:

cas.authn.attribute-repository.expiration-time=0

See: https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#authentication-attributes

But, I don't think that is the issue, considering you never get any attribute in the first place. 

Another possible solution:
In CAS 6.2.x, if order for attribute to release, I need to add
=========================

  "attributeReleasePolicy" : {

    .............

    "principalAttributesRepository" : {

      "@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "attributeRepositoryIds": ["java.util.HashSet", [ "*" ]]

    },

    .............

  },

=========================
Detail see this post

https://groups.google.com/a/apereo.org/g/cas-user/c/713M457X1bI/m/g6q3-ddKAQAJ

Not sure if this is the same behavior as 6.4.x, you can try it and see if this fix it for you.

Hopefully this helps!

Cheers,
Andy

[Jérémie Pilette]

Hi Andy,

thank you for your message.

So, I have tried with cas.authn.attribute-repository.expiration-time=0

Nothing change

I have tried with you lines on attributeReleasePolicy

Nothing change

I have tried with 6.3 version

Nothing change

I have tried just with the ligne below in cas.properties

cas.authn.ldap[0].principal-attribute-list=my_attribute_1, my_attribute_2, ...

without this lines (by commenting):

#cas.authn.ldap[0].authentication-attribute-release-enabled=true
#cas.authn.ldap[0].authentication-attribute-release.only-release=my_attribute

And now it is good with 6.3 and 6.4 versions...

I do not know if I have made something else...

But now it is fixed...

Thank you for all,

Jérémie