CAS attributes

[4lo...@gmail.com]

Hello everybody I hope you are doing good.

I am new at using simplesamlphp and I am having some problems that I can not figure out. I have an application that requires for users to login. For this particular application, I need to allow user to be able to login with a custom database that I created and CAS. I have the custom database provider working. The problem is, when I select to authenticate with CAS. I get redirected to the CAS server and after a successful logging at the CAS server, I get redirected to my application. At my application, I try to get the attributes and I only get an empty array.

On my application

$as = new \SimpleSAML\Auth\Simple('castest');

$as->requireAuth();

$attributes = $as->getAttributes();

print_r($attributes);

die();

this result is an empty array.

Also when I test it on Authentication > Test configured authentication sources > and select castest. This is the result

{

"Attributes": [],

"Authority": "castest",

"AuthnInstant": 1550007903,

"Expire": 1550036703

}

on the authsorce.php, I have this:

I got this form https://simplesamlphp.org/docs/stable/cas:cas

'castest' => array(

'cas:CAS',

'cas' => array(

'login' => 'https://casserver/login.php',

'validate' => 'https://casserver/validate.php',

'logout' => 'http://casserver/logout.php',

),

'ldap' => array(

'servers' => false,

),

),

I tested if CAS returned any attributes to my app using this code

https://github.com/apereo/phpCAS/blob/master/docs/examples/example_advanced_saml11.php

and it does return attributes like mail and others.

How can I access the CAS attributes on my application?

something like this.

{

"Attributes": [

‘mail’ =[

‘te...@email.com’

]

],

"Authority": "castest",

"AuthnInstant": 1550007903,

"Expire": 1550036703

}

[Bjorn Rohde Jensen]

Ello there,

>
> I am new at using simplesamlphp and I am having some problems that I can
> not figure out. I have an application that requires for users to login. For
> this particular application, I need to allow user to be able to login with
> a custom database that I created and CAS. I have the custom database
> provider working. The problem is, when I select to authenticate with CAS. I
> get redirected to the CAS server and after a successful logging at the CAS
> server, I get redirected to my application. At my application, I try to get
> the attributes and I only get an empty array.
>
>

I am not terribly familiar with the cas authsource module in
simplesamlphp, but looking at the code, it seems that it supports both
CAS 1.0 and CAS 2.0. It looks very much like, you are using the CAS 1.0
validate endpoint in your configuration, which does not support
attributes. The authsource relies on LDAP lookup to retrieve attributes
in this case, and your provided configuration has LDAP entirely
disabled, so the behaviour is entirely to be expected.

I do not know which CAS server, you are using, but try changing;

'validate' => 'https://casserver/validate.php',

to

'serviceValidate' => 'https://casserver/serviceValidate.php',

There is a good chance, that is the CAS 2.0 ticket validation endpoint
of your CAS server, otherwise you will have to dig in the documentation
for it...;)

Yours sincerely,

Bjorn

[pat...@cirrusidentity.com]

In addition to Bjorn's suggestion (to use 'serviceValidate' to indicate used CAS v2) you'll need to define some XPATH expressions to map the attributes xml returned from CAS to what you want.

e.g.

'serviceValidate' => 'https://server/account/cas/serviceValidate',
'logout' => 'https://server/account/cas/logout',
'attributes' => [
    'uid' => '/cas:serviceResponse/cas:authenticationSuccess/cas:user',
    'sn' => '/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:lastname',
    'givenName' => '/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:firstname',
    'mail' => '/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:email',
    'customabc' => '/cas:serviceResponse/cas:authenticationSuccess/custom:abc',
]

[Lorenzo Aju]

thank you so much patrick and Bjorn. i have made the changes that you all suggested and its working now!

Thank you!

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/HmaazBp4CBg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Frédéric Thu]

At last you showed how to get the attributes! Thank you!

If others find this topic, as I did after hours searching, may I add that if /serviceValidate does not return the attributes, you might have to call /p3/serviceValidate to get them...