Returning additional attributes in CAS response
236 views
Skip to first unread message
Matt Zukowski
Jun 18, 2008, 4:48:24 PM6/18/08
to RubyCAS
A number of people have been asking for the ability to send back extra
attributes to the CAS client. (see
http://code.google.com/p/rubycas-server/issues/detail?id=10&q=attributes)
Up until now, RubyCAS-Server only returned the authenticated user's
username. As of revision 300, it is now possible to return other
attributes alongside the username -- be it the user's full name,
numeric identifier, group membership, etc.
To return extra attributes, simply fill the new @extra_attributes Hash
in your Authenticator's validate() method. For example, if in your
Authenticator's validate() method you do this:
@extra_attributes = {:real_name => "John Doe", :employee_number =>
12345}
... then these attributes will be retained in the user's SSO session,
and will be sent along with their username to the client application.
RubyCAS-Client 2 is already able to read these attributes, so upon
logging in to a client application, you will see that the following
information is available:
session[:cas_user] <--- the username the user used to log in to the
CAS server
session[:cas_extra_attributes] <--- the attributes we registered in
the authenticator, in this case {:real_name => "John
Doe", :employee_number => 12345}
I've gone ahead and implemented this in the existing SQL
authenticator. It is now possible to send values from additional
columns in your users table by adding the following option to your SQL
authenticator config:
extra_attributes: full_name, employee_number
Where 'full_name' and 'employee_number' are the columns in the users
table that we want to send.
If you're interested in implementing something similar in your own
custom authenticator, please have a look at the SQL authenticator for
an example of how it's done.
Please note that this feature is still very much experimental. I would
really (REALLY) appreciate it if someone did some third-party testing
on this. Let me know how it works for you. I'm in particular
interested in whether this creates any incompatibilities with other
CAS clients (PHP, Java, mod_auth_cas, etc.)
attributes to the CAS client. (see
http://code.google.com/p/rubycas-server/issues/detail?id=10&q=attributes)
Up until now, RubyCAS-Server only returned the authenticated user's
username. As of revision 300, it is now possible to return other
attributes alongside the username -- be it the user's full name,
numeric identifier, group membership, etc.
To return extra attributes, simply fill the new @extra_attributes Hash
in your Authenticator's validate() method. For example, if in your
Authenticator's validate() method you do this:
@extra_attributes = {:real_name => "John Doe", :employee_number =>
12345}
... then these attributes will be retained in the user's SSO session,
and will be sent along with their username to the client application.
RubyCAS-Client 2 is already able to read these attributes, so upon
logging in to a client application, you will see that the following
information is available:
session[:cas_user] <--- the username the user used to log in to the
CAS server
session[:cas_extra_attributes] <--- the attributes we registered in
the authenticator, in this case {:real_name => "John
Doe", :employee_number => 12345}
I've gone ahead and implemented this in the existing SQL
authenticator. It is now possible to send values from additional
columns in your users table by adding the following option to your SQL
authenticator config:
extra_attributes: full_name, employee_number
Where 'full_name' and 'employee_number' are the columns in the users
table that we want to send.
If you're interested in implementing something similar in your own
custom authenticator, please have a look at the SQL authenticator for
an example of how it's done.
Please note that this feature is still very much experimental. I would
really (REALLY) appreciate it if someone did some third-party testing
on this. Let me know how it works for you. I'm in particular
interested in whether this creates any incompatibilities with other
CAS clients (PHP, Java, mod_auth_cas, etc.)
Reply all
Reply to author
Forward
0 new messages