On Thu, Sep 19, 2013 at 5:21 PM, Rich Renomeron - TCG <[email protected]> wrote: > Moving to cas-dev, per Bill Thompson's request. > > I've opened https://issues.jasig.org/browse/CAS-1357 for this. > > For the time being, I've impelmented the resolvePrincipal-time solution, > which I was able to do by extending the > AdditionalDescriptorsPersonAttributeDao by overriding > getPossibleUserAttributeNames so that I could release them to services, > adding a session-scope AttributesHolder into all of my > CredentialsToPrincipalResolvers. > > I think I also learned more about Person Directory than I wanted to know. :) > > I poked around for SAML 1.1 standards docs, and I didn't find anything that > differentiated between "Person Attributes" and "Authentication Attributes" > like the CAS model does. Is this violating any design principles by > attaching credential-derived attributes to the principal?
The SAML1 CAS response is an implementation detail that has little to do with the standard and certainly nothing to do with interop with other SAML entities. If possible I'd recommend you simply go with the CAS protocol response. Best, Bill > > Thanks, > Rich > > > On Tue, Sep 17, 2013 at 12:22 PM, Marvin S. Addison > <[email protected]> wrote: >>> >>> I have a set of attributes that are based on Credentials (e.g. an >>> internal LOA value based on the credential type, certificate used in >>> X509 authentication) that I need to have expressed as attributes in the >>> SAML 1.1 assertion generated by CAS.... >>> >>> 2. Build a PersonAttributeDao implementation to inject the attributes >>> at resolvePrincipal time. >> >> >> We accomplish this via 2. We define a stub LOA attribute with a static DAO >> implementation then use a merging one to combine the various DAOs. Once we >> get the attribute definition into the authn pipeline, it's easy to update it >> with a custom resolver. >> >> SAML2 has the AuthnContext slot that is an ideal place to describe things >> like LOA, but SAML 1.1 afaik only has AuthenticationMethod. >> >> >> M >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > Richard J. Renomeron, Project Lead > TCG > Yes, it can be done! > Tel: (202) 742-8460 | Fax: (202) 986-5532 > Google Talk: [email protected] | AIM: rrenomeronTCG > OpenPGP Key ID 8CD7CFEB | www.tcg.com > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
