Login page and attributes

[spfma...@e.mail.fr]

Hi,

 

I am trying to understand how the values displayed on CAS login welcome page are chosen.

 

Our CAS is using simple LDAP auth (no dedicated attributes resolver), with a dedicated binding user.

This one has access to more than 80 attributes, which can be confirmed using a simple "ldapseach".

 

I don't want to use all of them, so "principal-attribute-list" has been set to the required ones.

 

If I understand correctly :

- "principal-attribute-list" defines a list of attributes which can be returned by services (possibly filtered at this level). An attribute not mentioned is this list, even if returned by the LDAP, will not be sent by services.
- "principal-attribute-list" is not a "retrieve those LDAP attributes only".

- If an attribute is mentioned on the list but not returned by the directory, it's omitted. So it's an "at best" list, depending on the available datas.

 

Some people have discovered the login page, and plan to use it as some debug tool.

I was just using it to confirm LDAP connectivity was OK, but never paid attention to the details (I get my name, email, phone number, it's working).

 

Form them, here is the problem : on this page, we have a list of attributes but it does not seem to match any logic so far.

- it's not the whole attributes list returned by the LDAP when using the dedicated user (much less).

- but it's much more than "principal-attribute-list" content.

- some displayed attributes are not mentioned in "principal-attribute-list" but displayed on the table. But they are not declared in any service either, they just exist and are valued. They seem to be randomly chosen.

 

We don't have any app using attributes other than uid, mail, ... right now so everything seems to be ok. 

But not seeing expected attributes on the table led those people to think "they are missing, so coming apps needing them won't be usable".

 

Can someone explain me how this is working, if some specific configuration is needed ?

 

Regards

 

 

 

 

 

---

FreeMail powered by mail.fr

[Dmitriy Kopylenko]

Hello.

You didn't say which CAS version you're on - I'm looking at 7.3.x source, adjust if older.

First thing - the welcome page has two tabs, "Principal" and "Authentication". The Principal tab is authentication.principal.attributes, the Authentication tab is authentication.attributes. The second one is CAS internals (auth method, dates, mfa stuff, etc.), nothing from LDAP. People miss the tab and end up comparing apples and oranges, so worth a quick look first.

For the Principal tab - yeah, principal-attribute-list on the LDAP handler does what you described. It's the list the LDAP search asks for and what the handler maps onto the principal. Code's here:

https://github.com/apereo/cas/blob/7.3.x/support/cas-server-support-ldap-core/src/main/java/org/apereo/cas/authentication/LdapAuthenticationHandler.java#L165-L188

The gotcha is what happens after the handler. CAS runs PersonDirectoryPrincipalResolver next, and that one pulls from whatever you have under cas.authn.attribute-repository.*. Even if you didn't set up a dedicated attr repo, check that prefix - especially cas.authn.attribute-repository.core.default-attributes-to-release, that's a global bundle that goes onto every principal.

Also the LDAP block has additional-attributes, which just tacks more onto principal-attribute-list.

Easiest way to see where each attribute comes from is bump org.apereo.cas.authentication to DEBUG. The handler logs what it got from LDAP, the resolver logs the merge.

One more thing - the welcome page isn't really a debug tool. It's the "you logged in but didn't pick a service" landing page, and it shows the full principal, the superset. What an actual app sees gets filtered by that service's attribute release policy. So something being on the page doesn't mean a given service will get it, and something missing from the page doesn't mean it won't. If the question is "will app X see attribute Y", look at app X's release policy, not the welcome view.

Cheers,

D.

https://leanpub.com/cas-internals

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/434d4024ddd714ca29520239a2f19fb13d1d27d0%40mail.de.

[spfma...@e.mail.fr]

Hi,

 

Thank you for this detailed and useful answer !

 

I know it's not supposed to be a debug tool, but now those people know it exists and it is their "phpinfo for CAS" as one of them said.

Most of them don't even know what a CAS service is, but consider this one is a "show everything debug page". 

 

My Java knowledge is outdated, so it's very time consuming for me to dig informations, either in the doc or in the code.

 

Were are running CAS 7.2.3, following a long update path starting around 2000.

So the configuration files have been adapted according to the needs, maybe with some rotten stuff.

 

This is what we have for auth and attributes :

 

############################
# LDAP / Simple login auth #
############################

cas.authn.ldap[0].name: OUR_LDAP - [LDAP Auth]
cas.authn.ldap[0].base-dn: dc=our,dc=stuff
cas.authn.ldap[0].bind-dn: cn=DEDICATED_USER,ou=applications,dc=our,dc=stuff
cas.authn.ldap[0].bind-credential: TOP_SECRET
cas.authn.ldap[0].dn-format: uid=%s,ou=people,dc=our,dc=stuff
cas.authn.ldap[0].enhance-with-entry-resolver: true
cas.authn.ldap[0].ldap-url: ldaps://OUR_LDAP_SERVER:636
cas.authn.ldap[0].page-size: 0
cas.authn.ldap[0].password-encoder.type: NONE
cas.authn.ldap[0].search-filter: (uid={user})
cas.authn.ldap[0].subtree-search: true
cas.authn.ldap[0].type: AUTHENTICATED
cas.authn.ldap[0].use-start-tls: false
cas.authn.ldap[0].principal-attribute-list: A,B,C,D,E,F
cas.authn.ldap[0].disable-pooling: True
cas.authn.ldap[0].min-pool-size: 4
cas.authn.ldap[0].max-pool-size: 8

########################################################
# Attribute repository (for non-LDAP auth like SPNEGO) #
########################################################
cas.authn.attribute-repository.ldap[0].name: OUR_LDAP [Attribute resolver]
cas.authn.attribute-repository.ldap[0].base-dn: dc=our,dc=stuff
cas.authn.attribute-repository.ldap[0].bind-credential: TOP_SECRET
cas.authn.attribute-repository.ldap[0].bind-dn: cn=DEDICATED_USER,ou=applications,dc=our,dc=stuff
cas.authn.attribute-repository.ldap[0].ldap-url: ldaps://OUR_LDAP_SERVER:636
cas.authn.attribute-repository.ldap[0].search-filter: (uid={user})

 

No user-defined "cas.authn.attribute-repository.core.default-attributes-to-release" and no specific personal attributes mappings.

 

All logs are on debug, but I din't really know what to look for. You gave me valuable clues.

 

Maybe I have to overload the welcome page some day, and just put a big "Welcome USER_NAME" in the middle of the screen :-)

 

Regards

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKjjFk2ifAYpAcsRD7%2BaVRok5QoXgzKrwre76EWpXGOB_g%40mail.gmail.com.

[Ray Bon]

principal-attribute-list should only return those attributes from LDAP, no more.

Cas generates a number of other attributes related to the authentication event, such as time stamps and authn methods. See https://apereo.github.io/cas/7.3.x/integration/Attribute-Release-Policies.html

There is some global config and service level config.

Ray

---

From: spfma.tech via CAS Community <cas-...@apereo.org>
Sent: May 29, 2026 07:36
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Login page and attributes

 

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ceeec59dd39b38b6d5dbf1598b186f9f79a279e%40mail.de.