mod_auth_cas and attributes

[Alberto Cabello Sánchez]

Hi,

I'm trying to get attributes released by CAS through mod_auth_cas and CASv2
protocol (not SAML), but I'm not sure how to achieve it.

I set

CASAuthNHeader ATTR

but it just gives the authenticated user, even if successful login page shows
correctly the attributes defined in application.properties.

Attribute release policy for that service is
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},

My validation URL is

CASValidateURL <CAS_URL>/serviceValidate

I don't know if this is correct. I found another value when using SAML
validation, but I don't know if I have to change this one for CASv2 (only
found this information regarding the SAML version).

Thanks in advance,

--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura

[David Curry]

In your service registry:

{
  ...
  "attributeReleasePolicy" : {
      "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  ...
}

In /etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so

<Directory "/var/www/html/secured-by-cas">
    <IfModule mod_auth_cas.c>
        AuthType        CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
    CASLoginUrl           https://casserver.example.org/cas/login
    CASValidateUrl        https://casserver.example.org/cas/samlValidate
    CASCookiePath         /var/cache/httpd/mod_auth_cas/
    CASValidateSAML       On
    CASSSOEnabled         On
    CASDebug              Off
</IfModule>

Note that CASv2 uses SAML 1.1 to return attributes; hence the use of samlValidate. This is not the same thing as configuring the CAS server as a SAML2 IdP and using SAML instead of CAS to auhenticate.

This will put all your attributes into Apache headers. You can access them in various ways; here's a simple PHP example that you can put into /var/www/html/secured-by-cas/index.php or whatever:

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>Hello, World!</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
  </head>
  <body>
    <div class="container">
      <h1>Secured Content</h1>
      <p><big>This is some secure content. You should not be able to see it until you have entered your username and password.</big></p>
      <h2>Attributes Returned by CAS</h2>
      <?php
        echo "<pre>";

        if (array_key_exists('REMOTE_USER', $_SERVER)) {
            echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "<br>";
        }

        $headers = getallheaders();
        foreach ($headers as $key => $value) {
            if (strpos($key, 'CAS_') === 0) {
                echo substr($key, 4) . " = " . $value . "<br>";
            }
        }

        echo "</pre>";
      ?>
    </div>
  </body>
</html>

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024122634.9aee358820053e3c75081f5e%40unex.es.

[Alberto Cabello Sánchez]

Thank you very much. I'll try later, hoping not to end in a SAML mess, as
I usually do.

Regarding Apache directives,

* Do I need "CASSSOEnabled On", even if I'm not using SSOut capabilities?

* Is "CASAuthNHeader On" correct? I just did that and ended with a "On"
header containing only the authenticated username, not what I wanted...
I thought CASAuthNHeader is not an On/Off directive but it takes a string
value to set the header name.

Regards.

On Thu, 24 Oct 2019 08:13:18 -0400
David Curry <david...@newschool.edu> wrote:

> In your service registry:
>
> {
> *...*
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> *...*}

>
> In /etc/httpd/conf.d/cas.conf:
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> <Directory "/var/www/html/secured-by-cas"> <IfModule
> mod_auth_cas.c> AuthType CAS
> CASAuthNHeader On
> </IfModule>
> Require valid-user</Directory><IfModule mod_auth_cas.c>
> CASLoginUrl https://casserver.example.org/cas/login
> CASValidateUrl https://casserver.example.org/cas/samlValidate
> CASCookiePath /var/cache/httpd/mod_auth_cas/
> CASValidateSAML On
> CASSSOEnabled On
> CASDebug Off</IfModule>
>
> Note that CASv2 uses SAML 1.1 to return attributes; hence the use of

> samlValidate. This is *not* the same thing as configuring the CAS server as

> *DIRECTOR • INFORMATION SECURITY & PRIVACY*

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPmyrxJ%3DS_qSSa%2BHQFgdAFSBofFYLW8QWtVNeiMYNqJzQ%40mail.gmail.com.

[David Curry]

You should be safe from SAML messes; CASv2 attribute release via SAML 1.1 has been around for years and years; much longer than the CAS server's support for the SAML2 protocol and acting as an IdP/SP. You don't actually have to configure anything at all; just use the other endpoint (samlValidate instead of serviceValidate).

CASSSOEnabled is for supporting CAS Single Sign Out. If you're not using that, you should not need it. Although leaving it on won't hurt anything, either. Personally, I have always just left it on, and have never had an issue.

CASAuthnHeader is an on/off attribute. (See the documentation: https://github.com/apereo/mod_auth_cas). If you want to change the attribute headers to start with something other than "CAS_", that's the CASAttributePrefix directive.

--Dave

--

DAVID A. CURRY, CISSP

DIRECTOR • INFORMATION SECURITY & PRIVACY

THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024142719.b3c4b47cf1135e885259ea14%40unex.es.

[David Hawes]

What version of mod_auth_cas are you using? v1.2 supports CASv2
attributes, which should work with /serviceValidate provided your
server supports it.

Turn "CASDebug On" and you should be able to see the validation
response with the attributes returned from your server. With
CASAuthnHeader set to some attribute like you've done, the released
attributes should be in the HTTP headers.

[David Hawes]

On Thu, 24 Oct 2019 at 08:44, David Curry <david...@newschool.edu> wrote:
>
> You should be safe from SAML messes; CASv2 attribute release via SAML 1.1 has been around for years and years; much longer than the CAS server's support for the SAML2 protocol and acting as an IdP/SP. You don't actually have to configure anything at all; just use the other endpoint (samlValidate instead of serviceValidate).

Note that you can use /serviceValidate with mod_auth_cas v1.2 if your
server releases attributes.

> CASAuthnHeader is an on/off attribute. (See the documentation: https://github.com/apereo/mod_auth_cas). If you want to change the attribute headers to start with something other than "CAS_", that's the CASAttributePrefix directive.

CASAuthNHeader specifies the name of a header. It is used like:

CASAuthNHeader username

[David Curry]

I stand corrected. Although the AuthNHeader documentation (README) is not at all clear (to me, anyway) on that.

David A. Curry,  CISSP
Director • Information Security & Privacy
The New School • Information Technology
71 Fifth Ave., 9th Fl., New York, NY 10003
+1 646 909-4728 • david...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.
   

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC_eCURZNpGzC%2BLQGaLzN7yWk9b7L0KjS7eYk9u%2Bb6tGA%40mail.gmail.com.

[Alberto Cabello Sánchez]

On Thu, 24 Oct 2019 16:12:58 -0400
David Hawes <dha...@vt.edu> wrote:

> What version of mod_auth_cas are you using?

Sorry, I didn't included it in my question:

mod_auth_cas is 1.2, freshly cloned from https://github.com/apereo/mod_auth_cas.git
CAS server is 5.3.12.1.

> v1.2 supports CASv2 attributes, which should work with /serviceValidate
> provided your server supports it.
>
> Turn "CASDebug On" and you should be able to see the validation
> response with the attributes returned from your server. With
> CASAuthnHeader set to some attribute like you've done, the released
> attributes should be in the HTTP headers.

This is the CAS info logged in Tomcat

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [alberto] with attributes [{cn=[alberto], givenName=[alberto], irisPersonalUniqueID=[DOC:12345678R], mail=[alb...@unex.es], sn=[cabello sánchez], sn1=[cabello], sn2=[sánchez], uid=[alberto]}] via credentials [[UsernamePasswordCredential(username=alberto)]].>

I can't find any reference to headers in Apache 2 logs, except

Adding outgoing header: Set-Cookie: MOD_AUTH_CAS_S=6c60*******************d099;Secure;Path=/examples/jsp/; HttpOnly, referer: <CAS_URL>/login?service=<SERVICE_URL>

I guess I will add some printf() statements in mod_auth_cas to gather more
info, and explore the SAML approach.

If it helps, I do get an "ATTR" header (CASAuthNHeader is set to ATTR),
but it just contains the REMOTE_USER value ("alberto" in this case).

Thanks for your help.

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDKF8kj6NuQBKhfP9DeT10vmRWXguFafrzxNAg8454JXQ%40mail.gmail.com.

[Alberto Cabello Sánchez]

On Thu, 24 Oct 2019 16:20:09 -0400
David Hawes <dha...@vt.edu> wrote:

> Note that you can use /serviceValidate with mod_auth_cas v1.2 if your
> server releases attributes.

Well, it seems this is not the case: validation response is

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>alberto</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>

No node named "attributes", so no mod_auth_cas problem here.

[David Hawes]

On Fri, Oct 25, 2019, 05:45 Alberto Cabello Sánchez <alb...@unex.es> wrote:

On Thu, 24 Oct 2019 16:12:58 -0400
David Hawes <dha...@vt.edu> wrote:

> What version of mod_auth_cas are you using?

Sorry, I didn't included it in my question:

mod_auth_cas is 1.2, freshly cloned from https://github.com/apereo/mod_auth_cas.git
CAS server is 5.3.12.1.

> v1.2 supports CASv2 attributes, which should work with /serviceValidate
> provided your server supports it.
>
> Turn "CASDebug On" and you should be able to see the validation
> response with the attributes returned from your server. With
> CASAuthnHeader set to some attribute like you've done, the released
> attributes should be in the HTTP headers.

This is the CAS info logged in Tomcat

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [alberto] with attributes [{cn=[alberto], givenName=[alberto], irisPersonalUniqueID=[DOC:12345678R], mail=[alb...@unex.es], sn=[cabello sánchez], sn1=[cabello], sn2=[sánchez], uid=[alberto]}] via credentials [[UsernamePasswordCredential(username=alberto)]].>

I can't find any reference to headers in Apache 2 logs, except

Adding outgoing header: Set-Cookie: MOD_AUTH_CAS_S=6c60*******************d099;Secure;Path=/examples/jsp/; HttpOnly, referer: <CAS_URL>/login?service=<SERVICE_URL>

I guess I will add some printf() statements in mod_auth_cas to gather more
info, and explore the SAML approach.

Not necessary. Set "LogLevel debug" and "CASDebug On". Search for "Validation response" in the Apache logs. 

[Ray Bon]

Alberto,

To be sure CAS is releasing the attributes:

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDKF8kj6NuQBKhfP9DeT10vmRWXguFafrzxNAg8454JXQ%40mail.gmail.com

.

-- 

Alberto Cabello Sánchez

Servicio de Informática

Universidad de Extremadura

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Alberto Cabello Sánchez]

Hi, thanks everyone for your help!

This worked like a charm, just adding the SAML dependency and changing two
lines in mod_auth_cas config ("CASValidateUrl" and "CASValidateSAML On").

I'll be investigating the cause of my CAS and mod_auth_cas not sharing the
attributes, anyway.

Best regards.

On Thu, 24 Oct 2019 08:13:18 -0400
David Curry <david...@newschool.edu> wrote:

> In your service registry:
>
> {
> *...*
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> *...*}
>

> In /etc/httpd/conf.d/cas.conf:
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> <Directory "/var/www/html/secured-by-cas"> <IfModule
> mod_auth_cas.c> AuthType CAS
> CASAuthNHeader On
> </IfModule>
> Require valid-user</Directory><IfModule mod_auth_cas.c>
> CASLoginUrl https://casserver.example.org/cas/login
> CASValidateUrl https://casserver.example.org/cas/samlValidate
> CASCookiePath /var/cache/httpd/mod_auth_cas/
> CASValidateSAML On
> CASSSOEnabled On
> CASDebug Off</IfModule>
>
> Note that CASv2 uses SAML 1.1 to return attributes; hence the use of

> samlValidate. This is *not* the same thing as configuring the CAS server as

> *DIRECTOR • INFORMATION SECURITY & PRIVACY*

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPmyrxJ%3DS_qSSa%2BHQFgdAFSBofFYLW8QWtVNeiMYNqJzQ%40mail.gmail.com.

[Alberto Cabello Sánchez]

On Fri, 25 Oct 2019 18:08:13 +0000
Ray Bon <rb...@uvic.ca> wrote:

> Alberto,
>
> To be sure CAS is releasing the attributes:
>
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Thanks, Ray.

It seems to be right:

DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy]
<Final collection of attributes allowed are: [{cn=[alberto],

givenName=[alberto], irisPersonalUniqueID=[DOC:12345678R],
mail=[alb...@unex.es], sn=[cabello sánchez], sn1=[cabello], sn2=[sánchez],
uid=[alberto]}]>

I wonder how the "serviceValidate" endpoint is building the service response.

Could this be useful? The log shows attributes being used for access control

WHO: audit:unknown
WHAT: [result=Service Access Granted,service=https://server.unex.es/examples/jsp/he...,principal=SimplePrincipal(id=alberto, attributes={cn=[alberto], givenName=[alberto], irisPersonalUniqueID=[DOC:12345678R], mail=[alb...@unex.es], sn=[cabello sánchez], sn1=[cabello], sn2=[sánchez], uid=[alberto]}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS

but not for service ticket validation

WHO: alberto
WHAT: ST-16c60*******************d099 for https://server.unex.es/examples/jsp/headers.jsp
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS

Additionally: I can use attributes to control access in .htaccess (with
Require cas-attribute givenName:alberto) but -as expected- it works for me
only in the SAML scenario, not in the CASv2.

[Ray Bon]

Alberto,

My apologies. I missed the part about cas protocol v2. Attribute release is available only with protocol v3 and saml 1.1 (and saml 2).

Ray

[Molly Kewl]

> > What version of mod_auth_cas are you using?
>
> Sorry, I didn't included it in my question:
>
> mod_auth_cas is 1.2, freshly cloned from https://github.com/apereo/mod_auth_cas.git
> CAS server is 5.3.12.1.
>
> > v1.2 supports CASv2 attributes, which should work with /serviceValidate
> > provided your server supports it.

Use cas.view.cas2.v3ForwardCompatible=true

[Alberto Cabello Sánchez]

On Mon, 4 Nov 2019 17:16:33 +0000

Ray Bon <rb...@uvic.ca> wrote:

> Alberto,
>

> My apologies. I missed the part about cas protocol v2. Attribute release
> is available only with protocol v3 and saml 1.1 (and saml 2).

No need to apologize, of course!

A little more explanation is welcome, though... I read in mod_auth_cas docs
(https://github.com/apereo/mod_auth_cas):

Both the CAS 2.0 and SAML 1.1 protocols support including additional
attributes in the CAS validation response, which may also be added as HTTP
headers (see CASAttributePrefix and CASAttributeDelimiter).

And then, among the

========================================================================
NEW FEATURES AND FUNCTIONS IN THIS RELEASE
========================================================================

is

* CASv2 attributes.

Then, I thought I was retrieving attributes with phpCAS and CASv2, but
now I'm a little confused... Perhaps attributes release needs CASv3 only
for mod_auth_cas?

[Jon Anderson]

My recollection was that:
CAS v1 returned just username as plain text
CAS v2 returned just username in xml

By then everybody wanted attribute delivery, and it was common in SAML, so as a sort of extension to CAS the service ticket validation request and response could be done with SAML 1.1 instead, which offered attribute delivery.

After that CAS v3 came out which added attributes to the xml response.
________________________________________
From: cas-...@apereo.org [cas-...@apereo.org] on behalf of Alberto Cabello Sánchez [alb...@unex.es]
Sent: Wednesday, November 06, 2019 6:59 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] mod_auth_cas and attributes

And then, among the

is

* CASv2 attributes.

--
- Website: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fapereo.github.io%2fcas&c=E,1,uVX_J0EcDdId6cE4vDiBZ3gxZb6J_qmiWZtA0lcAsKnzaAr5VwuJ04VYRvbKlygznycmpExNPO7QCBqBt_HGtBVIJ9EKFz351STKpMtvgUK828qehkbkrw7D&typo=1
- Gitter Chatroom: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgitter.im%2fapereo%2fcas&c=E,1,yzKP87ny_D1OIsNwVGd47GGKBugV8CIm-PcBJh9S0iKo9yXJoiN6U-QZt9oN3Y17QPKMuaQZssnYbcLD77nIbSfE6Pe3VVJRvkNUO-F4m62yuq4VStje6KdS&typo=1
- List Guidelines: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2f1VRrw7&c=E,1,lFCSheJFiA4SrjcrSHSCE-ROp90tlwsdi8FKTotUACbwnk0BrkClBu52SXJGpky3qIeKSOYeSj9t7CSz72JtGfpD6Vztho9ffKc58GH_9zxixg,,&typo=1
- Contributions: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgoo.gl%2fmh7qDG&c=E,1,_2JIbw6CtAQb3OoCdmf71oNGNXZC7hm8u0tXVmFnoeRUjgz3MZw9_8YFBuQrXTkO-m4qgzQRlIwrVfqBBvV_2uYCN4y3Bw91BF1e4ZzUfM-bvmCKciVI&typo=1

---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fa%2fapereo.org%2fd%2fmsgid%2fcas-user%2f20191106135905.282bc33fe1549ff65e8ca535%40unex.es.&c=E,1,vO4kbFr4IWhllEtLH5TaiR3RqmVPYC_1aPq7LEG1IF0I9NXWlEtZcigHn9dibVQaUnZBrM0KPLhjd0cdmCA_Ae-fVZYOm0-gggl0lmUautoeNHCj1ms,&typo=1