How to release eduPersonTargetedID in correct format

[Marcin Roman]

Hi, I could not manage to configure CAS to release eduPersonTargetedID in correct format.

According to specs (https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/) eduPersonTargetedID should look like this:

<saml2:Attribute FriendlyName="eduPersonTargetedID"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://sso.umk.pl/idp/shibboleth" SPNameQualifier="https://orcid.org/saml2/sp/1">S1yftf/VIwgXi4bclR5tdXB/VRE=</saml2:NameID>
</saml2:AttributeValue>
</saml2:Attribute>

This the way shibboleth releases it. 

However CAS releases eduPersonTargetedID in the following way:

<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>aALV+7l7KzaznzhyDsaBNgAdzSI=</saml2:AttributeValue> </saml2:Attribute>

Perhaps I misconfigured something?

[Mike Osterman]

Hi there,

I had this issue early on, and it turned out that my service registry was not specifying the nameid format as persistent, but rather unspecified, which was making it transient. 

Here's a snippet from our service config for the requiredNameIdFormat and usernameAttributeProvider properties:

"requiredNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"usernameAttributeProvider" : {
    "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
    "usernameAttribute" : "eduPersonTargetedID",
    "canonicalizationMode" : "NONE"
  }

-Mike

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/337e9277-89c4-4fec-bf43-44e11d35e78dn%40apereo.org.

[Marcin Roman]

Thanks for your help, but it does not suffice to return persistentId only in subject (username) section of saml response.

I need also to return eduPersonTargetedID as a separate attribute in the AttributeStatement section like this:

      <saml2:Subject>

            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

                          NameQualifier="https://orcid.org/saml2/sp/1"

                          SPNameQualifier="https://orcid.org/saml2/sp/1"

                          >bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID>

            ...

        </saml2:Subject>

       ...

        <saml2:AttributeStatement>

            <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

                  <saml2:AttributeValue>

                      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sso.umk.pl/idp/shibboleth" SPNameQualifier="https://orcid.org/saml2/sp/1">bsW0OHXmQNagnOqwvm8TU7oPKpM=</saml2:NameID>
                   </saml2:AttributeValue>
            </saml2:Attribute>

The above is required by some services like orcid.org.

I use the following service config:

{
 "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
 "serviceId": "^https://.+$",
 "name": "federation",
 "id": 1999,
 "evaluationOrder": 1999,
 "metadataLocation": "https://aai.pionier.net.pl/pionierid-edugain-sp-feed.xml",
 "usernameAttributeProvider" : {
   "@class" : "org.apereo.cas.services.AnonymousRegisteredServiceUsernameAttributeProvider",
   "persistentIdGenerator" : {
     "@class" : "org.apereo.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator",
     "salt" : "abc",
     "attribute": "uidNumber"
   }
 },
 "attributeReleasePolicy": {
   "@class": "org.apereo.cas.services.ChainingAttributeReleasePolicy",
   "policies": [ "java.util.ArrayList",
     [
       {
         "@class": "org.apereo.cas.support.saml.services.EduPersonTargetedIdAttributeReleasePolicy",
         "salt" : "abc",
         "attribute": "uidNumber"
       }
     ]
   ]
 }
}

[Dmitriy Kopylenko]

Hi there.

Simply put, currently CAS server does not support encoding attribute values as nested SAML2XMLObject, just like that nested NameID value as required by eduPersonTargetedID spec.

Best,

D.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b0398bd-6dc8-41c5-89e0-df9cfa3fff00n%40apereo.org.

[Robert]

It would be great, if CAS will be 100% Shibboleth compatible and let us use ShibbolethCompatiblePersistentIdGenerator for generating an attribute as well. Even if eduPersonTargetedID is deprecated in favour of "urn:oasis:names:tc:SAML:attribute:pairwise-id" in most AAIs, the procedure would be the same.

If there are no developer resources at apereo, our institution would spend money on that show stopper.

You can contact me directly via robert.k...@gfz-potsdam.de