Thanks. I updated the Authentication Manager configuration to read:
<entry key-ref="primaryAuthenticationHandler" value="#{null}" />
I am not sure how I how or where I would "ensure you are pointing to the
correct endpoint for attributes, whether that is SAML or CAS", so I'm not
sure about that
My Authentication Handler is setting attributes using:
final Map<String, Object> attributes = new HashMap<>();
attributes.put("abc", "123");
attributes.put("def", "456");
return createHandlerResult(credential,
this.principalFactory.createPrincipal(username), null);
But I am still getting the username in my Validation Response:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";>
<cas:authenticationSuccess>
<cas:user>john</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
Here is my service definiteion:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^http://localhost/bonfire/cas/.*";,
"name" : "Bonfire Development",
"id" : 10000017,
"description" : "Bonfire Development CAS Single Sign-On 2",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"evaluationOrder" : 0,
"usernameAttributeProvider" : {
"@class" :
"org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "def"
},
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy"
},
"logoutType" : "BACK_CHANNEL"
Here is my entire deployerConfigContext.xml;
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:c="http://www.springframework.org/schema/c";
xmlns:tx="http://www.springframework.org/schema/tx";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
<entry key-ref="proxyAuthenticationHandler"
value-ref="proxyPrincipalResolver" />
<entry key-ref="primaryAuthenticationHandler"
value="#{null}" />
</map>
</constructor-arg>
<property name="authenticationPolicy">
<bean
class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
</property>
</bean>
<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler"
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" />
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="net.sourceforge.jtds.jdbc.Driver"/>
<property name="url"
value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/>
<property name="username" value="xxxxx"/>
<property name="password" value="xxxxxxxxxxxx"/>
</bean>
<bean id="primaryAuthenticationHandler"
class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler"
p:dataSource-ref="dataSource"
p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?"
/>
<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver"
class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
<bean id="primaryPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
p:principalFactory-ref="principalFactory" />
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.JsonServiceRegistryDao"
c:configDirectory="${service.registry.config.location:classpath:services}"
/>
<bean id="auditTrailManager"
class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor"
class="org.jasig.cas.monitor.HealthCheckMonitor"
p:monitors-ref="monitorsList" />
<util:list id="monitorsList">
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</util:list>
</beans>
On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected]> wrote:
> You do not need to define an attribute repository at all. Your attribute
> repository *is* your handler, since it’s acting as a repository of user
> attributes for you. (It is possible to merge the attributes your handler
> returns and the attributes of a separate repository, but I don’t think you
> want that in this case)
>
>
>
> So, you need to ensure:
>
>
>
> 1. Your attribute repository is nulled out, and its associated
> resolver is nulled out. See
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
> 2. You need to ensure you are pointing to the correct endpoint for
> attributes, whether that is SAML or CAS.
>
>
>
> If none of that works, change your log levels for org.jasig.cas to DEBUG
> and that should tell you the full story.
>
>
>
> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *John
> Bruestle
> *Sent:* Wednesday, January 6, 2016 12:14 PM
> *To:* Misagh Moayyed <[email protected]>
> *Cc:* CAS Community <[email protected]>
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> I wasn't erally expecting to change the username provided, although that
> would be OK. I was just expecting to add an other data item to what the
> validation response returnd.
>
>
>
> Anyway, I tried changing to:
>
>
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
>
> "usernameAttribute" : "def"
>
> },
>
> "attributeReleasePolicy" : {
>
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
>
> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" ] ]
>
> },
>
>
>
> And I am still not seeing the test "def" attribute I created in my
> Authentication Handler by going:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> I do wonder if I am suppose to be defining a different attribute
> repository. Right now my deployerConfigContext.xml contains:
>
>
>
> <bean id="attributeRepository"
> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"
>
> p:backingMap-ref="attrRepoBackingMap" />
>
>
>
> <util:map id="attrRepoBackingMap">
>
> <entry key="uid" value="uid" />
>
> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
>
> <entry key="groupMembership" value="groupMembership" />
>
> <entry>
>
> <key><value>memberOf</value></key>
>
> <list>
>
> <value>faculty</value>
>
> <value>staff</value>
>
> <value>org</value>
>
> </list>
>
> </entry>
>
> </util:map>
>
>
>
>
>
>
>
> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected]>
> wrote:
>
> Because you told your service to use the default CAS behavior when
> returning usernames, via: "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> You never told it which attribute should be used as the username. It
> cannot know that without your direct instructions.
>
>
>
> If you go back to the original link I sent you, that should help describe
> what options are available for providing usernames for registered services.
> Pick the one that works on an attribute.
>
>
>
> *From:* John Bruestle [mailto:[email protected]]
> *Sent:* Tuesday, January 5, 2016 3:19 PM
> *To:* CAS Community <[email protected]>
> *Cc:* [email protected]
>
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thank you for your help. I think I am getting closer:
>
>
>
> As a test, I changed the bottom of my AuthenticationHandler to:
>
>
>
> final Map<String, Object> attributes = new
> HashMap<>();
>
> attributes.put("abc", "123");
>
> attributes.put("def", "456");
>
>
>
> return createHandlerResult(credential,
> this.principalFactory.createPrincipal(username,attributes), null)
>
>
>
> And I updated the service definition to:
>
>
>
> {
>
> "@class" : "org.jasig.cas.services.RegexRegisteredService",
>
> "serviceId" : "^http://localhost/bonfire/cas/.*";,
>
> "name" : "Bonfire Development",
>
> "id" : 10000017,
>
> "description" : "Bonfire Development CAS Single Sign-On",
>
> "proxyPolicy" : {
>
> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
>
> },
>
> "evaluationOrder" : 0,
>
> "usernameAttributeProvider" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>
> },
>
> "logoutType" : "BACK_CHANNEL",
>
> "attributeReleasePolicy" : {
>
> "@class" : "org.jasig.cas.services.*ReturnAllAttributeReleasePolic*y"
>
> },
>
> "accessStrategy" : {
>
> "@class" :
> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "ssoEnabled" : true
>
> }
>
> }
>
>
>
> Only problem is that I am still just seeing only the the "user" attribute
> in the validation response. Is there something more I need to configure?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote:
>
> Since you are on 4.1, your authentication handler is able to create the
> principal with all the attributes it needs. So, as long as your handler is
> stuffing that attribute into the final Principal that is created, you
> should be able to dictate to a service that the attribute should be used in
> the final response.
>
>
>
> See this as an example of how LDAP AuthN adds attributes:
>
>
> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196
>
>
>
> Have yours do the same. You simply need to decide what the attribute name
> should be, and stuff it into a map that the principal carries for
> attributes.
>
>
>
> This is also relevant:
>
>
> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler
>
>
>
> *From:* [email protected] [mailto:[email protected] <[email protected]>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 11:11 AM
> *To:* CAS Community <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: [cas-user] Returning userid in Validation Response
>
>
>
> Thanks. Yes, that tells me how to configure the response so it will show
> the specific attributes I want, but it doesn't tell me how to create the
> attributes. In my case, I'm getting a userid returned by the store
> procedure I'm calling in my AuthenticationHandler, when authenticating.
> I'd like to add code there, at the point that I know the userid, to store
> (resolve?) it as an attribute. How do I do that?
>
>
>
>
>
> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote:
>
> See if this helps:
>
> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html
>
>
>
> Section “Principal-Id Attribute”.
>
>
>
> *From:* [email protected] [mailto:[email protected] <[email protected]>]
> *On Behalf Of *John Bruestle
> *Sent:* Tuesday, January 5, 2016 9:02 AM
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Returning userid in Validation Response
>
>
>
> My system's usernames used for logins are not the same as the unique
> userid's used by the database. In fact, usernames aren't necessarily
> unique and sometimes require the password to determine the specific
> userid. I need my validation response to return the userid.
>
>
>
> I already have a custom AuthenticationHandler, which implements
> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly
> authenticating using a MSSQL stored procedure. One of the byproducts of
> calling the procedure is the userid, so that in the AuthenticationHandler
> we do know what the userid is.
>
>
>
> From my reading, it seems that there may be a way to store the userid away
> as an attribute, which could later be used as part of the validation
> response. I'm stuck however trying to figure out how to do this. I would
> appreciate some pointers, especially if they came with the specific XML
> files I need to modify and the functions I should call from within my
> AuthenticationHandler to store the attribute.
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
>
>
>
>
> --
>
> John Bruestle
> [email protected]
> (609) 737-7250
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>
--
John Bruestle
[email protected]
(609) 737-7250
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
