How to generate UID attribute in the SAML response from Apereo CAS
254 views
Skip to first unread message
Pk Hafeez
Jun 14, 2018, 10:50:54 AM6/14/18
to CAS Community
Have setup latest version 5.3.0 of apereo CAS. Wanting it to return username as UID attribute in the saml response. Have made appropriate changes to CAS.properties and serviceregistry.json file. But the CAS somehow only returns default attributes (UsernamePasswordCredential, samlAuthenticationStatementAuthMethod, isFromNewLogin, authenticationDate, authenticationMethod, successfulAuthenticationHandlers, longTermAuthenticationRequestTokenUsed). Note that this is just a POC setup, so there is no provisioned or ldap or such. There is only one user on the CAS system, and when he (uo...@email.cuhybrid.com) makes a saml request, the saml response after authentication should simply send username (uone) back as part of the attribute (uid) in the response.
attribute-repository.json
/etc/cas/services/service.json
cas.properties
cs.server.name: https://sso.idp.cuhybrid.com:8443
cas.server.prefix: https://sso.idp.cuhybrid.com:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location: classpath:/services
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services
cas.authn.samlIdp.entityId=https://sso.idp.cuhybrid.com:443/cas/idp
cas.authn.samlIdp.scope=idp.cuhybrid.com
cas.authn.file.separator=::
cas.authn.file.filename=file:/etc/cas/config/password.txt
cas.authn.file.passwordEncoder.type=NONE
#release attributes
#cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.attributes.uid=uid
#cas.authn.samlIdp.principalAttributeId=uid
#cas.authn.ldap[0].principalAttributeId=uid
cas.authn.samlIdp.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.samlIdp.attributeRepository.defaultAttributesToRelease=uid
cas.authn.samlIdp.attributeRepository.attributes.id=uid
cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.defaultAttributesToRelease=uid
cas.authn.attributeRepository.samlIdp[0].id=uid
cas.authn.attributeRepository.samlIdp[0].attributes.id=uid
password.txt
uone@email.cuhybrid.com::T1swo123=
{
"uone": {
"firstName":["fname"],
"lastName":["lname"]
}
}
/etc/cas/services/service.json
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://broker.wbx.com.*",
"name" : "Broker",
"id" : 20000001,
"evaluationOrder" : 10,
"metadataLocation" : "https://sso.idp.cuhybrid.com:8443/idb-meta-test-org1.xml",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "uid" ] ]
}
}
SAML Response (Expected UID in the attribute list missing): In the saml response, i expect username (uone) to be present in the attribute list with name as uid after the configuration made above. But somehow the attribute list is all of defaults.
<saml2p:Response
Destination="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"
ID="_7652370489182156752" InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
IssueInstant="2018-06-14T10:49:11.334Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_7652370489182156752">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QVZFqX3IZhmlpVXtl6r4d8k9d8SC5jkX/Q+1a39gsS8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EaAo6LKZYJn8b2Nm7M1QhfUyCtMYR2wqFm4+HdABhJT/3TDVlrsrhgz8fCRHM+zAFDQrsAXLokzEyj0q+riKsy3aOWVPIFhaOpctJuCS6/MvLBW/a2ZKU9rKNgawrVNWNOu6pAm0IgBQYd5SJnNyCEZnOQWk+H2f9YuqjWOlFw4HicNVisp9bZnXQJPQ9HMKSntgazLtJktuWhjdYMwjEpMckV0Smr/2A2A4tnmyXhBSu7DOm2k8OnqAdFyYydsDDyY0GyzV1PD/NXdXE65ZjbSner4NESV10GzKEUp+PoAFhd3zY9jGBc435BzD01L43anDZbEJ/pdTsogqVjSuQQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIWOjCCAiKgAwIBAgIVAIWJG4KZJNKnPfAtwXfzO5ZasZXKMA0GCSqGSIb3DQEBCwUAMCExHzAd
BgNVBAMMFnNzby5pZHAuY2FyZWh5YnJpZC5jb20wHhcNMTgwNjEyMDUxODI0WhcNMzgwNjEyMDUx
ODI0WjAhMR8wHQYDVQQDDBZzc28uaWRwLmNhcmVoeWJyaWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkubHPbfub/uSD2ZCt9gxw7nUHNPKLotVlORJ48XEjXAY5ygaet4p+94S
gX8qafDETqay3ynVX/kZiVutg85xsR9nhTd/PSL9/CMR02U9qVpQP+EnMsttmc4u+GR/lvyPIi4C
bYS9piV89axFF3oYNy8B4phNmymCONEvT3XpuWIpA2LPRAYo/8rcPgpOABSRPex/Z1+OIcbw+Lwb
0cAuOxkSlc/X8X8Da3CiHemFxrswFkXCLEZOdd/a2CesuyJguFoFbcGW3ko4tSVgGWflt8vsn7wE
nMk4Un10dupDDWEzWx+bw0ELilyuqEDMOURQInWWI4PuuCdTqUld1pCzqwIDAQABo2kwZzAdBgNV
HQ4EFgQUiOTpeFxxMd+/pOaEhYmt59xmiQEwRgYDVR0RBD8wPYIWc3NvLmlkcC5jYXJlaHlicmlk
LmNvbYYjc3NvLmlkcC5jYXJlaHlicmlkLmNvbS9pZHAvbWV0YWRhdGEwDQYJKoZIhvcNAQELBQAD
ggEBAB2DYvASBcmG69GwPEX1HM4RsHsjcc+dMe3M3CcKcfyIDxy3dkA1M3JhqUP1sgXqJli0gFHp
NCF7fbikP4f0+O3z7L8cASZFu+gdL5Gre2umhRzPCL0v2q+dIbDEZ3h/Y841Tu8xO8xFCUTUO7Bi
nbg8KrKbWJX4FTrlPG/I0DncNF0wiKzYaJTevRmbRk1HUV+kCD8oN3RgpfDofVb8QQfpueVDaXuZ
oTRi7376ebOJk3UugAsgp255jTRojVrsuU6+w9YajAObArniSm2z5t3D8+47CTP0QSYd8SS+nCy6
uBBJhh4EfylDw4pobsZSHA23ZqwuySy49ZV37adNOLY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="_9139863724074917757" IssueInstant="2018-06-14T10:49:11.326Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4"
SPNameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4">nm8GLI16mgBl2pJWfWI+zbKBpTg=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
NotOnOrAfter="2018-06-14T10:49:16.029Z"
Recipient="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-06-14T10:49:11.333Z" NotOnOrAfter="2018-06-14T10:49:16.333Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-06-14T10:49:11.029Z" SessionIndex="_8331287344390871950"><saml2:SubjectLocality Address="64.68.99.6"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="credentialType" Name="credentialType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>UsernamePasswordCredential</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
Name="samlAuthenticationStatementAuthMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>2018-06-14T10:49:10.650Z[Etc/UTC]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>false</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Expected SAML response attribute The expected way of attribute is below with username (uone) as value.
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uone</saml:AttributeValue>
</saml:Attribute>
Message has been deleted
Pk Hafeez
Jun 14, 2018, 10:59:30 AM6/14/18
to CAS Community
attribute-repository.json file is used just for testing purpose. No real use of it later on. Would rather wish to translate the incoming user request to username and send it back in the saml response. For ex: translate uo...@email.com to uid: uone.
Reply all
Reply to author
Forward
0 new messages