How to generate UID attribute in the SAML response from Apereo CAS
445 views
Skip to first unread message
Pk Hafeez
Jun 14, 2018, 10:47:23 AM6/14/18
to CAS Developer
Have setup latest version 5.3.0 of apereo CAS. Wanting it to return username as UID attribute in the saml response. Have made appropriate changes to CAS.properties and serviceregistry.json file. But the CAS somehow only returns default attributes (UsernamePasswordCredential, samlAuthenticationStatementAuthMethod, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed). Note that this is just a POC setup, so there is no provisioned or ldap or such. There is only one user on the CAS system, and when he (uo...@email.cuhybrid.com) makes a saml request, the saml response after authentication should simply send username (uone) back as part of the attribute (uid) in the response.
password.txt
attribute-repository.json
/etc/cas/services/service.json
SAML Response (Expected UID in the attribute list missing): In the saml response, i expect username (uone) to be present in the attribute list with name as uid after the configuration made above. But somehow the attribute list is all of defaults.
cas.properties
cs.server.name: https://sso.idp.cuhybrid.com:8443
cas.server.prefix: https://sso.idp.cuhybrid.com:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location: classpath:/services
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services
cas.authn.samlIdp.entityId=https://sso.idp.cuhybrid.com:443/cas/idp
cas.authn.samlIdp.scope=idp.cuhybrid.com
cas.authn.file.separator=::
cas.authn.file.filename=file:/etc/cas/config/password.txt
cas.authn.file.passwordEncoder.type=NONE
#release attributes
#cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.attributes.uid=uid
#cas.authn.samlIdp.principalAttributeId=uid
#cas.authn.ldap[0].principalAttributeId=uid
cas.authn.samlIdp.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.samlIdp.attributeRepository.defaultAttributesToRelease=uid
cas.authn.samlIdp.attributeRepository.attributes.id=uid
cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.defaultAttributesToRelease=uid
cas.authn.attributeRepository.samlIdp[0].id=uid
cas.authn.attributeRepository.samlIdp[0].attributes.id=uid
uone@email.cuhybrid.com::T1swo123=
attribute-repository.json
{
"uone": {
"firstName":["fname"],
"lastName":["lname"]
}
}
/etc/cas/services/service.json
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://broker.wbx.com.*",
"name" : "Broker",
"id" : 20000001,
"evaluationOrder" : 10,
"metadataLocation" : "https://sso.idp.cuhybrid.com:8443/idb-meta-test-org1.xml",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "uid" ] ]
}
}
SAML Response (Expected UID in the attribute list missing): In the saml response, i expect username (uone) to be present in the attribute list with name as uid after the configuration made above. But somehow the attribute list is all of defaults.
<saml2p:Response
Destination="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"
ID="_7652370489182156752" InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
IssueInstant="2018-06-14T10:49:11.334Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_7652370489182156752">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QVZFqX3IZhmlpVXtl6r4d8k9d8SC5jkX/Q+1a39gsS8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EaAo6LKZYJn8b2Nm7M1QhfUyCtMYR2wqFm4+HdABhJT/3TDVlrsrhgz8fCRHM+zAFDQrsAXLokzEyj0q+riKsy3aOWVPIFhaOpctJuCS6/MvLBW/a2ZKU9rKNgawrVNWNOu6pAm0IgBQYd5SJnNyCEZnOQWk+H2f9YuqjWOlFw4HicNVisp9bZnXQJPQ9HMKSntgazLtJktuWhjdYMwjEpMckV0Smr/2A2A4tnmyXhBSu7DOm2k8OnqAdFyYydsDDyY0GyzV1PD/NXdXE65ZjbSner4NESV10GzKEUp+PoAFhd3zY9jGBc435BzD01L43anDZbEJ/pdTsogqVjSuQQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIWOjCCAiKgAwIBAgIVAIWJG4KZJNKnPfAtwXfzO5ZasZXKMA0GCSqGSIb3DQEBCwUAMCExHzAd
BgNVBAMMFnNzby5pZHAuY2FyZWh5YnJpZC5jb20wHhcNMTgwNjEyMDUxODI0WhcNMzgwNjEyMDUx
ODI0WjAhMR8wHQYDVQQDDBZzc28uaWRwLmNhcmVoeWJyaWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkubHPbfub/uSD2ZCt9gxw7nUHNPKLotVlORJ48XEjXAY5ygaet4p+94S
gX8qafDETqay3ynVX/kZiVutg85xsR9nhTd/PSL9/CMR02U9qVpQP+EnMsttmc4u+GR/lvyPIi4C
bYS9piV89axFF3oYNy8B4phNmymCONEvT3XpuWIpA2LPRAYo/8rcPgpOABSRPex/Z1+OIcbw+Lwb
0cAuOxkSlc/X8X8Da3CiHemFxrswFkXCLEZOdd/a2CesuyJguFoFbcGW3ko4tSVgGWflt8vsn7wE
nMk4Un10dupDDWEzWx+bw0ELilyuqEDMOURQInWWI4PuuCdTqUld1pCzqwIDAQABo2kwZzAdBgNV
HQ4EFgQUiOTpeFxxMd+/pOaEhYmt59xmiQEwRgYDVR0RBD8wPYIWc3NvLmlkcC5jYXJlaHlicmlk
LmNvbYYjc3NvLmlkcC5jYXJlaHlicmlkLmNvbS9pZHAvbWV0YWRhdGEwDQYJKoZIhvcNAQELBQAD
ggEBAB2DYvASBcmG69GwPEX1HM4RsHsjcc+dMe3M3CcKcfyIDxy3dkA1M3JhqUP1sgXqJli0gFHp
NCF7fbikP4f0+O3z7L8cASZFu+gdL5Gre2umhRzPCL0v2q+dIbDEZ3h/Y841Tu8xO8xFCUTUO7Bi
nbg8KrKbWJX4FTrlPG/I0DncNF0wiKzYaJTevRmbRk1HUV+kCD8oN3RgpfDofVb8QQfpueVDaXuZ
oTRi7376ebOJk3UugAsgp255jTRojVrsuU6+w9YajAObArniSm2z5t3D8+47CTP0QSYd8SS+nCy6
uBBJhh4EfylDw4pobsZSHA23ZqwuySy49ZV37adNOLY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="_9139863724074917757" IssueInstant="2018-06-14T10:49:11.326Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4"
SPNameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4">nm8GLI16mgBl2pJWfWI+zbKBpTg=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
NotOnOrAfter="2018-06-14T10:49:16.029Z"
Recipient="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-06-14T10:49:11.333Z" NotOnOrAfter="2018-06-14T10:49:16.333Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-06-14T10:49:11.029Z" SessionIndex="_8331287344390871950"><saml2:SubjectLocality Address="64.68.99.6"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="credentialType" Name="credentialType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>UsernamePasswordCredential</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
Name="samlAuthenticationStatementAuthMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>2018-06-14T10:49:10.650Z[Etc/UTC]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>false</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Expected SAML response attribute The expected way of attribute is below with username (uone) as value.
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uone</saml:AttributeValue>
</saml:Attribute>
Pk Hafeez
Jun 14, 2018, 10:59:38 AM6/14/18
to CAS Developer
attribute-repository.json file is used just for testing purpose. No real use of it later on. Would rather wish to translate the incoming user request to username and send it back in the saml response. For ex: translate uo...@email.com to uid: uone.
Pk Hafeez
Jun 14, 2018, 11:15:15 AM6/14/18
to CAS Developer
cas.log
2018-06-14 10:22:11,638 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{}] for [uo...@email.cuhybrid.com]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnMappedAttributeReleasePolicy] to process attributes for [castesto...@mailinator.com]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Attempting to map allowed attribute name [uid]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Mapping attribute [uid] to [uid] with value [null]>
2018-06-14 10:22:11,640 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [uid] that is based off of [uid] in the allowed attributes list. Ensure the original attribute [uid] is retrieved and contains at least a single value. Attribute [uid] will and can not be released without the presence of a value.>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnMappedAttributeReleasePolicy] allows release of [{}] for [uo...@email.cuhybrid.com]>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-06-14 10:22:11,641 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-06-14 10:22:11,641 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[uid]]>
2018-06-14 10:22:11,642 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-06-14 10:22:11,645 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [castesto...@mailinator.com] accessing service [https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4] defined by registered service [https://broker.wbx.com.*]...>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>On Thursday, 14 June 2018 20:17:23 UTC+5:30, Pk Hafeez wrote:
Message has been deleted
Lu Jacky
Nov 21, 2018, 3:17:58 AM11/21/18
to CAS Developer
same question, have you got a solution?
Reply all
Reply to author
Forward
0 new messages