Help Using a Different Principal ID Attribute

David Abney

unread,

May 3, 2016, 1:21:48 PM5/3/16

to cas-...@apereo.org

I am currently on CAS 4.0.7 and I am trying to authenticate with a service using a different attribute than the normal principal ID. I am trying to get CAS to return the employeeID instead of the sAMAccountName. So, I have deployerConfigContext.xml file setup like below according to http://jasig.github.io/cas/4.0.x/integration/Attribute-Release.html .

In deployerConfigContext.xml:

<bean id="ldapAuthenticationHandler"

class="org.jasig.cas.authentication.LdapAuthenticationHandler"

p:principalIdAttribute="sAMAccountName"

c:authenticator-ref="authenticator">

<map>

<!--

| This map provides a simple attribute resolution mechanism.

| Keys are LDAP attribute names, values are CAS attribute names.

| Use this facility instead of a PrincipalResolver if LDAP is

| the only attribute source.

-->

</map>

</property>

</bean>

The registered service looks like this:

<list>

<value>employeeID</value>

</list>

</property>

</bean>

Then, when I try to authenticate with the service, the CAS log shows that it got my employee id number from LDAP, which is good. However, it says the Principal id to return for service is my user name and the default principal id is my employee ID number. So, is CAS sending my user name (sAMAccountName) or my employee Id as the principal Id, is there a way to test? If CAS is still returning the sAMAccount name, how do I get it return the employeeID as the principal id? The people in charge of the hosted service I am working with believe CAS is still sending the sAMAccountName.

CAS log:

=============================================================

WHO: my_user_name

WHAT: ST-5248-1PHxmo1HozRbMV7S3tbb for service_url

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue May 03 10:40:38 EDT 2016

CLIENT IP ADDRESS: 10.21.1.35

SERVER IP ADDRESS: 192.102.218.104

=============================================================

2016-05-03 10:40:38,622 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: service_url

2016-05-03 10:40:38,623 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-5248-1PHxmo1HozRbMV7S3tbb]

2016-05-03 10:40:38,623 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-5248-1PHxmo1HozRbMV7S3tbb] found in registry.

2016-05-03 10:40:38,623 DEBUG [org.jasig.cas.services.support.RegisteredServiceDefaultAttributeFilter] - Found attribute [employeeID] in the list of allowed attributes for service [OCLC]

2016-05-03 10:40:38,623 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal id to return for service [OCLC] is [my_user_name]. The default principal id is [my_employee_id].

2016-05-03 10:40:38,624 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-5248-1PHxmo1HozRbMV7S3tbb] from registry

2016-05-03 10:40:38,624 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-5248-1PHxmo1HozRbMV7S3tbb]

2016-05-03 10:40:38,624 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

Thanks,

––––––––––––––––––––

David Abney

ITS Web Developer/Programmer

600 West Walnut Street

Danville, Kentucky 40422

859.238.5761

email_logo

www.centre.edu

Dmitriy Kopylenko

unread,

May 3, 2016, 1:33:07 PM5/3/16

to David Abney, CAS Community

This works as designed and employeeID is being returned in place of principal’s identifier. The log message is confusing, though.

You could try to verify the attributes returned with this client app: https://github.com/UniconLabs/bootiful-cas-client (or any other client apps that you feel comfortable setting up).

Cheers,

D.

<image001.png>
www.centre.edu

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3705525284a4eceab0d3f70dc3b8cb9%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

David Abney

unread,

May 4, 2016, 8:38:26 AM5/4/16

to cas-...@apereo.org

If anyone was curious I was able to use this https://github.com/UniconLabs/bootiful-cas-client, with the help of Dmitriy Kopylenko, to test the value my CAS server was returning. I was able to confirm that my CAS server was actually sending the employee-id as the principal Id, instead of the sAMAccount name.

Thanks,

––––––––––––––––––––

David Abney

--

You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

cas-user+u...@apereo.org.

To post to this group, send email to

cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3705525284a4eceab0d3f70dc3b8cb9%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Reply all

Reply to author

Forward