5.1.x - How to configure CAS to transfert some values from different attribut of LDAP

[Jérémie Pilette]

Hello,

I would like to configure my cas.properties in order to have the possibility to transfert some values from LDAP to a service (Ypareo for example)

Do you know how to do that ?

Must I use these parameters :

# cas.authn.ldap[0].principalAttributeId=uid
# cas.authn.ldap[0].principalAttributePassword=password
# cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,eduPersonTargettedId:SOME_IDENTIFIER


or these parameters :
# cas.authn.attributeRepository.ldap[0].attributes.uid=uid
# cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
# cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
# cas.authn.attributeRepository.ldap[0].attributes.affiliation=groupMembership


Thanks a lot,

Jérémie

[Jérémie Pilette]

Is there somebody who can help me please ?

Thank you,

Jérémie

[David Curry]

Personally I would use the second option, as it gives you more flexibility.

If you'd like a step-by-step example of setting up attribute release, see here: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_resolution-release_overview.html

(The above is not official documentation.)

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b2cab04-9fec-42d8-a2ad-e3a57f1090d4%40apereo.org.

[Ray Bon]

Jérémie

You can specify the attributes to be released on a per service basis. Add something like this to you service definition:

  "attributeReleasePolicy" : {    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy" ,    "allowedAttributes" : {      "@class" : "java.util.TreeMap",      "uvicEduPersonNetLinkContactUpdateTimestamp" : "contactUpdateTimestamp",      "uvicEduPersonSpridenID" : "UDC_IDENTIFIER"    }  }

This way you can set the identifier name to be service specific and leave the ldap identifiers in their raw format.

See https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Jérémie Pilette]

Thank you for your responses.

I have used  json configuration "attributeReleasePolicy" but no attributes are sent to the service.
Is there a parameter to add in the cas.properties?

In the "Attribute Release Policies", it is written that it is about principal attributes. Where can we defined the principal Attributes ?

I have to forget something .... but what ?

Thank you,

Jérémie

[Doug Campbell]

You probably want something like this in your cas.properties:

 

cas.authn.ldap[0].principalAttributeList=sAMAccountName,givenName,sn,mail,memberOf,distinguishedName

 

Of course put in the attributes that you want to release.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e57990d-248a-4df8-891f-05906ad12217%40apereo.org.

[David Curry]

Did you configure the server to support releasing attributes with SAML 1.1? The CAS protocol didn't support attribute release until v3.0 of the protocol, which came out in v4.0 of the server.

To support SAML 1.1 attribute release, you need this in pom.xml:

    <dependency>

        <groupId>org.apereo.cas</groupId>

        <artifactId>cas-server-support-saml</artifactId>

        <version>${cas.version}</version>

    </dependency>

If you'd like a complete working example, you can see here (and the surrounding sections): https://dacurry-tns.github.io/deploying-apereo-cas/building_server_ldap_resolution-release_overview.html

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

[Ray Bon]

Add this to your log4j2.xml to see if the attributes are being released from LDAP:

<AsyncLogger name="org.apereo.cas.authentication..LdapAuthenticationHandler" level="debug" />

Like Doug said, your client application needs to be configured to use SAML 1.1 or CAS protocol 3.

Ray

[SOPHIE Fang]

I think i have a similar issuer though not as complicated as his.

My client side is using CAS protocol. dependency i use cas-client version 3.4.1

Below i have it in my cas.properties

cas.authn.ldap[0].principalAttributeList=username,sAMAccountName,sn,cn,givenName,displayName

However, the AttributePrincipal does not return LDAP_ATTR_DISPLAYNAME   LDAP_ATTR_SN

Do i also need to add cas dependency in the cas sso server side?

在 2017年9月19日星期二 UTC-4下午12:26:17，rbon写道：

[SOPHIE Fang]

cas.authn.attributeRepository.defaultAttributesToRelease=email,sn,givenName,displayName

在 2017年9月19日星期二 UTC-4下午2:34:34，SOPHIE Fang写道：

[SOPHIE Fang]

It works. If you are like me, releasing it regardless of which client applications are calling

Here is what i did:

cas.authn.attributeRepository.defaultAttributesToRelease=mail,sn,givenName,displayName

cas.authn.ldap[0].principalAttributeList=username,sAMAccountName,sn,cn,givenName,displayName,mail

I checked the source code. it seems like it first takes the principalAttributeList then it's checking if each is contained in the defaultToRelease. Thus you need to add a field in both places

在 2017年9月19日星期二 UTC-4下午3:01:50，SOPHIE Fang写道：

cas.authn.attributeRepository.defaultAttributesToRelease=mail,sn,givenName,displayName

[Doug Campbell]

Yes.  Or you could create an attribute release policy in your service definition (https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html).  If what you are doing though meets your needs I would stick with it since it is simpler.

 

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of SOPHIE Fang

Sent: Wednesday, September 20, 2017 4:06 AM
To: CAS Community

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0a1397f-8a14-40cb-b7c0-850ac50751f1%40apereo.org.

[Jérémie Pilette]

Hi everybody,
I have succeed to do my configuration.
I wrote a tutorial but it is in French for the moment,  sorry.

Take a look on my attached file.

You can see that my synthesis comes from many sources.

Thank you.

Jérérmie