Using cas.authn.attribute-repository/ person directory for only one service
60 views
Skip to first unread message
Matthew Gordon
Mar 30, 2024, 1:46:24 PM3/30/24
to CAS Community
Hello,
I followed this (https://fawnoos.com/2019/03/15/cas61x-attribute-repositories/), to define a service to use a specific attribute repository to obtain extra attributes for a single service.
I only need these attributes for the one service, so I would rather not query them unless the user is attempting to authenticate to a minimally used service.
Config:
#========================================
# CAS PERSON DIRECTORY
#========================================
cas.person-directory.active-attribute-repository-ids=NONE
cas.person-directory.attribute-resolution-enabled=false
cas.person-directory.principalAttribute=sAMAccountName
cas.person-directory.return-null=false
cas.person-directory.principal-resolution-failure-fatal=true
cas.person-directory.use-existing-principal-id=false
cas.authn.attribute-repository.core.merger=ADD
# CAS PERSON DIRECTORY
#========================================
cas.person-directory.active-attribute-repository-ids=NONE
cas.person-directory.attribute-resolution-enabled=false
cas.person-directory.principalAttribute=sAMAccountName
cas.person-directory.return-null=false
cas.person-directory.principal-resolution-failure-fatal=true
cas.person-directory.use-existing-principal-id=false
cas.authn.attribute-repository.core.merger=ADD
#========================================
# REST ATTRIBUTE REPOSITORY
#========================================
cas.authn.attribute-repository.rest[0].id=REST_REPO
cas.authn.attribute-repository.rest[0].order=1
cas.authn.attribute-repository.rest[0].url=https://host/folder/
cas.authn.attribute-repository.rest[0].basic-auth-username=test
cas.authn.attribute-repository.rest[0].basic-auth-password=test
cas.authn.attribute-repository.rest[0].state=ACTIVE
cas.authn.attribute-repository.rest[0].username-attribute=employeeID
cas.authn.attribute-repository.rest[0].method=GET
# REST ATTRIBUTE REPOSITORY
#========================================
cas.authn.attribute-repository.rest[0].id=REST_REPO
cas.authn.attribute-repository.rest[0].order=1
cas.authn.attribute-repository.rest[0].url=https://host/folder/
cas.authn.attribute-repository.rest[0].basic-auth-username=test
cas.authn.attribute-repository.rest[0].basic-auth-password=test
cas.authn.attribute-repository.rest[0].state=ACTIVE
cas.authn.attribute-repository.rest[0].username-attribute=employeeID
cas.authn.attribute-repository.rest[0].method=GET
If I set these to:
cas.person-directory.active-attribute-repository-ids=REST_REPO
cas.person-directory.attribute-resolution-enabled=true
cas.person-directory.attribute-resolution-enabled=true
It appears to lookup the attributes on every request and returns the desired attributes.
I was hoping to use a service:
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"id":10,
"serviceId":"^(https://test.com/).*",
"name":"TEST",
"description":"TEST",
"ssoEnabled":true,
"evaluationOrder":10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"ignoreResolvedAttributes": false,
"attributeRepositoryIds": ["java.util.HashSet", [ "REST_REPO" ]],
"mergingStrategy" : "ADD"
}
}
}
"@class" : "org.apereo.cas.services.CasRegisteredService",
"id":10,
"serviceId":"^(https://test.com/).*",
"name":"TEST",
"description":"TEST",
"ssoEnabled":true,
"evaluationOrder":10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"ignoreResolvedAttributes": false,
"attributeRepositoryIds": ["java.util.HashSet", [ "REST_REPO" ]],
"mergingStrategy" : "ADD"
}
}
}
to use that attribute repo.
Is this possible, and if so, what do I need to do to make it work?
I know for example, with surrogate auth, I don't specifically need the person directory working on every request, just the ones that use that flow...
Thank you,
Matt
Matthew Gordon
Apr 4, 2024, 4:50:30 PM4/4/24
to CAS Community, Matthew Gordon
I was able to sort it out.
Thank you,
Matt
Reply all
Reply to author
Forward
0 new messages