Unable to get UID attribute in client side

[Morning Star]

Hi Team,

CAS server - 6.2.3

CAS client - 3.6.2

We are not getting UID attribute in client side. We use CAS 2 protocol i,e Cas20ProxyReceivingTicketValidationFilter.

Upon redirection, we are getting ticket value(ticket=) in url and after successfull ticket validation got 302 http status code. Till this, it is working as expected.

But we are not getting UID attribute in client side.

My JSON file : 

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(https://cx.example.com.*)",

  "name" : "web",

  "description" : "Allows HTTP(S) and IMAP(S) protocols", 

  "id" : 10000001,

  "evaluationOrder" : 1,

  "usernameAttributeProvider" : {

    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",

    "usernameAttribute" : "uid"

  },

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "allowedAttributes" : [ "java.util.ArrayList", [ "uid", "email", "CN" ] ],

  }

}

DEBUG LOG:

2021-02-16 12:57:51 [DEBUG] org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – Initiating attributes release phase for principal [a...@test.com] accessing service [AbstractWebApplicationService(id=https://bexfept021.int.mgc.com:11111/exx/cp?id=12345, originalUrl=https:// bexfept021  .int.mgc.com:11111/exx/cp?id=12345, artifactId=null, principal=a...@test.com, source=service, loggedOutAlready=false, format=XML, attributes={})] defined by registered service [^(https:// cx.example.*)]...

2021-02-16 12:57:51 [DEBUG] org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – Using principal attribute repository [DefaultPrincipalAttributesRepository()] to retrieve attributes

2021-02-16 12:57:51 [WARN] org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher  – No person records were fetched from attribute repositories for [{principal=a...@test.com, userStatus=[ACTIVE], tryCount=[0:1613505872733], username=a...@test.com}]

2021-02-16 12:57:51 [DEBUG] org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – Found principal attributes [{userStatus=[ACTIVE], tryCount=[0:1613505872733]}] for [a...@test.com]

2021-02-16 12:57:51 [DEBUG] org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – Attribute policy [ReturnAllowedAttributeReleasePolicy] allows release of [{}] for [a...@test.com]

2021-02-16 12:57:51 [DEBUG] org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy  – Default attributes for release are: [[]]

Tried adding these entries also:

cas.authn.ldap[0].principal-attribute-list=uid,mail,cn

cas.authn.attribute-repository.default-attributes-to-release=uid,mail,cn

It doesn't help.

Am I doing something wrong here? CAS2 protocol release UID right?

Kindly help me with some syntax:-(

Atleast want to know issue is from server side or client side.

[Richard Frovarp]

I don't remember the fine specifics of the logs well enough to know. It's possible that both are at fault? Make sure you are listing attributes to lookup in your ldap attribute repository configuration. If they aren't there, that'll be problem one. The other thing is that by default the CAS 2 protocol doesn't do attribute return. You need to use CAS 3 protocol to get attribute return. It was an extension for CAS 2 protocol, but I don't think the IdP is going to follow that extension at CAS 6.2, but I may be wrong. The CAS 3 protocol validation URL should be able to be used to get the attributes back, which is typically at the/p3/ serviceValidate path.

[Ray Bon]

Morning,

When you say you get 302, do you mean a 'too many redirects' message in the browser?

Does your audit log say that the ticket was validated successfully?

The client application needs to be using https during ticket validation. If you are using a self signed cert, add it to the jvm keystore.

The uid is released as part of the principal, after successful ST validation. You can get it in your application with:

request.getRemoteUser()

or

request.getUserPrincipal()

Ray

On Tue, 2021-02-16 at 13:25 -0800, Morning Star wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.