Moving to cas-dev, per Bill Thompson's request. I've opened https://issues.jasig.org/browse/CAS-1357 for this.
For the time being, I've impelmented the resolvePrincipal-time solution, which I was able to do by extending the AdditionalDescriptorsPersonAttributeDao by overriding getPossibleUserAttributeNames so that I could release them to services, adding a session-scope AttributesHolder into all of my CredentialsToPrincipalResolvers. I think I also learned more about Person Directory than I wanted to know. :) I poked around for SAML 1.1 standards docs, and I didn't find anything that differentiated between "Person Attributes" and "Authentication Attributes" like the CAS model does. Is this violating any design principles by attaching credential-derived attributes to the principal? Thanks, Rich On Tue, Sep 17, 2013 at 12:22 PM, Marvin S. Addison < [email protected]> wrote: > I have a set of attributes that are based on Credentials (e.g. an >> internal LOA value based on the credential type, certificate used in >> X509 authentication) that I need to have expressed as attributes in the >> SAML 1.1 assertion generated by CAS.... >> >> 2. Build a PersonAttributeDao implementation to inject the attributes >> at resolvePrincipal time. >> > > We accomplish this via 2. We define a stub LOA attribute with a static DAO > implementation then use a merging one to combine the various DAOs. Once we > get the attribute definition into the authn pipeline, it's easy to update > it with a custom resolver. > > SAML2 has the AuthnContext slot that is an ideal place to describe things > like LOA, but SAML 1.1 afaik only has AuthenticationMethod. > > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> > -- *Richard J. Renomeron*, Project Lead *TCG* Yes, it *can* be done! Tel: (202) 742-8460 | Fax: (202) 986-5532 Google Talk: [email protected] | AIM: rrenomeronTCG OpenPGP Key ID 8CD7CFEB | www.tcg.com -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
