[cas-user] Alternate Username with SAML 2.0

David Abney

unread,

Jan 26, 2016, 8:35:46 AM1/26/16

to cas-...@apereo.org

I have CAS 4.0.7 running and I’m testing using a different value from LDAP to authenticate with a service that uses the SAML 2.0 (Google Apps) support provided by CAS. I would like to use the employeeID attribute from Active Directory as the principal Id for this service only. I have tried this setup:

Setup in deployerConifgContext.xml file:

<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"

p:backingMap-ref="attrRepoBackingMap" />

<util:map id="attrRepoBackingMap">

</util:map>

<list>

<value>employeeID</value>

</list>

</property>

</bean>

<bean id="ldapAuthenticationHandler"

class="org.jasig.cas.authentication.LdapAuthenticationHandler"

p:principalIdAttribute="sAMAccountName"

c:authenticator-ref="authenticator">

<map>

<!--

| This map provides a simple attribute resolution mechanism.

| Keys are LDAP attribute names, values are CAS attribute names.

| Use this facility instead of a PrincipalResolver if LDAP is

| the only attribute source.

-->

</map>

</property>

</bean>

Setup in the argumentExtractorsConfiguration.xml file:

<bean id="googleAccountsArgumentExtractor"

class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor"

p:privateKey-ref="privateKeyFactoryBean"

p:publicKey-ref="publicKeyFactoryBean"

p:alternateUsername="employeeID" />

However, in the SAML assertion that comes from CAS, the name id that is sent over is just the text “employeeID” instead of the actual employee ID attribute in Active Directory. Any thoughts on why it isn’t sending the employee ID value? If I remove the alternateUsername field from the googleAccountsArgumentExtractor, then CAS does send over the sAMAccountName like it normally should.

Thanks,

David Abney

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Misagh Moayyed

unread,

Jan 26, 2016, 2:22:04 PM1/26/16

to cas-...@apereo.org

Where is your attributeRepository used in the configuration?

David Abney

unread,

Jan 26, 2016, 2:49:29 PM1/26/16

to Misagh Moayyed, cas-...@apereo.org

Misagh,

It is used in the primaryPrincipalResolver, which is used by the authenticationManager. Is this setup correct to create the attribute repository?

<constructor-arg>

<map>

</map>

</constructor-arg>

</property>

</bean>

<bean id="primaryPrincipalResolver"

class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >

</bean>

I have attached the deployerConfigContext.xml file to make it easier to look at, if that helps.

Thanks,

David Abney

deployerConfigContext.xml

Misagh Moayyed

unread,

Jan 26, 2016, 3:32:04 PM1/26/16

to cas-...@apereo.org

No this isn’t. You see, you either use the attribute repository (and the associated resolver it’s linked to), or you use the authentication handler directly. Right now, you have declared them both. When you do this, your attribute repository/resolver takes precedence, which means you get static [stubbed] hardcoded attribute values, which means you just get employeeID verbatim.

Null out your primaryPrincipalResolver with: value="#{null}" and try again. Let your handler retrieve attributes for you.

David Abney

unread,

Jan 26, 2016, 3:51:08 PM1/26/16

to Misagh Moayyed, cas-...@apereo.org

Misagh,

I tried value=”#{null}”, but CAS is now encountering an error message about creating a bean ‘#{null}’. I assume I need to change something else in my deployerConfigContext file. Below is the message I am getting in the CAS log:

Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334)

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)

at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:637)

at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145)

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1077)

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:981)

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487)

at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)

at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)

at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)

at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)

at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)

at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)

at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:934)

at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)

at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)

at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)

at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)

at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:75)

at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:54)

at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1)

at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4973)

at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5467)

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)

at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)

at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)

at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1073)

at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1857)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

at java.util.concurrent.FutureTask.run(FutureTask.java:262)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334)

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334)

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedMap(BeanDefinitionValueResolver.java:384)

at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:165)

at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:651)