CAS 7.3.5 SAML Attribute Names Changed to OID URNs After Migration from 6.6.15

116 views
Skip to first unread message

Mohamed Iheb JEMAI

unread,
Jun 10, 2026, 8:15:14 AMJun 10
to CAS Community

Hi CAS Community,

After migrating CAS SSO from 6.6.15 to 7.3.5, I noticed a strange behavior that is currently blocking our SAML SSO login.

In the SAML POST response, some released attributes such as mail and givenName are no longer returned with their original attribute names. Instead, CAS seems to transform them into OID-based names, for example:

urn:oid:0.9.2342.19200300.100.1.3

Before the migration, the attributes were returned as expected, for example:

Name="mail"

I attached screenshots of the SAML response before/after migration, the SP metadata, and the current CAS service registry JSON.

Is there a specific configuration in CAS 7.3.5 to force SAML attribute names to be released as their original names, such as mail and givenName, instead of OID URNs?

Thanks in advance for your help.

sp-metadata.jpeg
json service registry.jpeg
attribut after migration.jpeg
attribut before migration.jpeg

Richard Frovarp

unread,
Jun 10, 2026, 11:41:15 AMJun 10
to cas-...@apereo.org
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bc17180f-f498-4517-b6a2-d9a516f22f04n%40apereo.org.

Eugene Willis

unread,
Jun 10, 2026, 8:05:20 PMJun 10
to cas-...@apereo.org, cas-...@apereo.org
Add a blank file called  samlidp-attribute-definitions.json in your classes directory. Should fix it.
Sent from my iPhone

On Jun 10, 2026, at 11:41 AM, 'Richard Frovarp' via CAS Community <cas-...@apereo.org> wrote:



Mohamed Iheb JEMAI

unread,
Jun 13, 2026, 3:14:49 PMJun 13
to CAS Community, Eugene Willis, cas-...@apereo.org
it works !! thank you very much :)

Mohamed Iheb JEMAI

unread,
Jun 15, 2026, 9:05:46 AMJun 15
to CAS Community, Mohamed Iheb JEMAI, Eugene Willis, cas-...@apereo.org

Hi CAS Community,

The samlidp-attribute-definitions.json workaround fixed the original issue, and SAML attributes are now returned with their original names (mail, givenName, etc.).

However, after adding the file, the CAS login success page no longer displays any principal attributes. Before the change, I could see LDAP attributes such as mail, givenName, displayName, memberOf, etc.

Authentication still succeeds, but the Principal Attributes table is now empty.

Is this expected? Do I need to define the attributes explicitly in samlidp-attribute-definitions.json?

Thanks for your help.

cas_after_json_empty.jpeg
cas_before_json_empty.jpeg
Reply all
Reply to author
Forward
0 new messages