Are you manually calling CAS server validation endpoint or using CAS client library? In other words - how do you get that validation XML response that you are showing?
Few pointers - for validation, CAS4 has 4 (I believe off the top of my head): 1) Legacy: /validate 2) CAS2 protocol: /serviceValidate 3) CAS3 protocol: /p3/serviceValidate 4) SAML: /samlValidate there are also proxy validation stuff, but let's skip that for this conversation. Attributes in validation response are only supported by SAML and p3 endpoints. I think you'd need to make sure you configure your CAS client library to use that. And I only know of the latest CAS Java client supports p3 validation, but have no idea of any other client libraries updated to support that. Hope that gives you a few more pointers. Best, Dmitriy. Sent from my iPhone > On Jan 6, 2016, at 16:34, John Bruestle <[email protected]> wrote: > > Thanks. I updated the Authentication Manager configuration to read: > > <entry key-ref="primaryAuthenticationHandler" value="#{null}" /> > > I am not sure how I how or where I would "ensure you are pointing to the > correct endpoint for attributes, whether that is SAML or CAS", so I'm not > sure about that > > My Authentication Handler is setting attributes using: > > final Map<String, Object> attributes = new HashMap<>(); > attributes.put("abc", "123"); > attributes.put("def", "456"); > return createHandlerResult(credential, > this.principalFactory.createPrincipal(username), null); > > But I am still getting the username in my Validation Response: > > <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> > <cas:authenticationSuccess> > <cas:user>john</cas:user> > </cas:authenticationSuccess> > </cas:serviceResponse> > > Here is my service definiteion: > > { > "@class" : "org.jasig.cas.services.RegexRegisteredService", > "serviceId" : "^http://localhost/bonfire/cas/.*";, > "name" : "Bonfire Development", > "id" : 10000017, > "description" : "Bonfire Development CAS Single Sign-On 2", > "proxyPolicy" : { > "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" > }, > "evaluationOrder" : 0, > "usernameAttributeProvider" : { > "@class" : > "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", > "usernameAttribute" : "def" > }, > "attributeReleasePolicy" : { > "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" > }, > "logoutType" : "BACK_CHANNEL" > > > > Here is my entire deployerConfigContext.xml; > > <?xml version="1.0" encoding="UTF-8"?> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:c="http://www.springframework.org/schema/c"; > xmlns:tx="http://www.springframework.org/schema/tx"; > xmlns:util="http://www.springframework.org/schema/util"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans.xsd > http://www.springframework.org/schema/tx > http://www.springframework.org/schema/tx/spring-tx.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security.xsd > http://www.springframework.org/schema/util > http://www.springframework.org/schema/util/spring-util.xsd";> > > <bean id="authenticationManager" > class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> > <constructor-arg> > <map> > <entry key-ref="proxyAuthenticationHandler" > value-ref="proxyPrincipalResolver" /> > <entry key-ref="primaryAuthenticationHandler" value="#{null}" > /> > </map> > </constructor-arg> > > <property name="authenticationPolicy"> > <bean > class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> > </property> > </bean> > > <!-- Required for proxy ticket mechanism. --> > <bean id="proxyAuthenticationHandler" > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" /> > > <bean id="dataSource" > class="org.springframework.jdbc.datasource.DriverManagerDataSource"> > <property name="driverClassName" > value="net.sourceforge.jtds.jdbc.Driver"/> > <property name="url" > value="jdbc:jtds:sqlserver://localhost/Bonfire;integrated security=false"/> > <property name="username" value="xxxxx"/> > <property name="password" value="xxxxxxxxxxxx"/> > </bean> > > <bean id="primaryAuthenticationHandler" > class="org.jasig.cas.adaptors.jdbc.BonfireAuthenticationHandler" > p:dataSource-ref="dataSource" > p:sql="EXEC dbo.LoginAuthenticateCAS ?, ?, ?" > /> > > <!-- Required for proxy ticket mechanism --> > <bean id="proxyPrincipalResolver" > > class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> > > <bean id="primaryPrincipalResolver" > > class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > p:principalFactory-ref="principalFactory" /> > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.JsonServiceRegistryDao" > > c:configDirectory="${service.registry.config.location:classpath:services}" /> > > <bean id="auditTrailManager" > class="org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > <bean id="healthCheckMonitor" > class="org.jasig.cas.monitor.HealthCheckMonitor" > p:monitors-ref="monitorsList" /> > > <util:list id="monitorsList"> > <bean class="org.jasig.cas.monitor.MemoryMonitor" > p:freeMemoryWarnThreshold="10" /> > <bean class="org.jasig.cas.monitor.SessionMonitor" > p:ticketRegistry-ref="ticketRegistry" > p:serviceTicketCountWarnThreshold="5000" > p:sessionCountWarnThreshold="100000" /> > </util:list> > </beans> > > > >> On Wed, Jan 6, 2016 at 2:54 PM, Misagh Moayyed <[email protected]> wrote: >> You do not need to define an attribute repository at all. Your attribute >> repository is your handler, since it’s acting as a repository of user >> attributes for you. (It is possible to merge the attributes your handler >> returns and the attributes of a separate repository, but I don’t think you >> want that in this case) >> >> >> >> So, you need to ensure: >> >> >> >> 1. Your attribute repository is nulled out, and its associated >> resolver is nulled out. See >> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >> >> 2. You need to ensure you are pointing to the correct endpoint for >> attributes, whether that is SAML or CAS. >> >> >> >> If none of that works, change your log levels for org.jasig.cas to DEBUG and >> that should tell you the full story. >> >> >> >> From: [email protected] [mailto:[email protected]] On Behalf Of John >> Bruestle >> Sent: Wednesday, January 6, 2016 12:14 PM >> To: Misagh Moayyed <[email protected]> >> Cc: CAS Community <[email protected]> >> >> >> Subject: Re: [cas-user] Returning userid in Validation Response >> >> >> I wasn't erally expecting to change the username provided, although that >> would be OK. I was just expecting to add an other data item to what the >> validation response returnd. >> >> >> >> Anyway, I tried changing to: >> >> >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.jasig.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", >> >> "usernameAttribute" : "def" >> >> }, >> >> "attributeReleasePolicy" : { >> >> "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", >> >> "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "abc", "def" ] ] >> >> }, >> >> >> >> And I am still not seeing the test "def" attribute I created in my >> Authentication Handler by going: >> >> >> >> final Map<String, Object> attributes = new HashMap<>(); >> >> attributes.put("abc", "123"); >> >> attributes.put("def", "456"); >> >> >> >> I do wonder if I am suppose to be defining a different attribute repository. >> Right now my deployerConfigContext.xml contains: >> >> >> >> <bean id="attributeRepository" >> class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao" >> >> p:backingMap-ref="attrRepoBackingMap" /> >> >> >> >> <util:map id="attrRepoBackingMap"> >> >> <entry key="uid" value="uid" /> >> >> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> >> >> <entry key="groupMembership" value="groupMembership" /> >> >> <entry> >> >> <key><value>memberOf</value></key> >> >> <list> >> >> <value>faculty</value> >> >> <value>staff</value> >> >> <value>org</value> >> >> </list> >> >> </entry> >> >> </util:map> >> >> >> >> >> >> >> >> On Wed, Jan 6, 2016 at 2:01 AM, Misagh Moayyed <[email protected]> wrote: >> >> Because you told your service to use the default CAS behavior when returning >> usernames, via: "@class" : >> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >> >> You never told it which attribute should be used as the username. It cannot >> know that without your direct instructions. >> >> >> >> If you go back to the original link I sent you, that should help describe >> what options are available for providing usernames for registered services. >> Pick the one that works on an attribute. >> >> >> >> From: John Bruestle [mailto:[email protected]] >> Sent: Tuesday, January 5, 2016 3:19 PM >> To: CAS Community <[email protected]> >> Cc: [email protected] >> >> Subject: Re: [cas-user] Returning userid in Validation Response >> >> >> >> Thank you for your help. I think I am getting closer: >> >> >> >> As a test, I changed the bottom of my AuthenticationHandler to: >> >> >> >> final Map<String, Object> attributes = new HashMap<>(); >> >> attributes.put("abc", "123"); >> >> attributes.put("def", "456"); >> >> >> >> return createHandlerResult(credential, >> this.principalFactory.createPrincipal(username,attributes), null) >> >> >> >> And I updated the service definition to: >> >> >> >> { >> >> "@class" : "org.jasig.cas.services.RegexRegisteredService", >> >> "serviceId" : "^http://localhost/bonfire/cas/.*";, >> >> "name" : "Bonfire Development", >> >> "id" : 10000017, >> >> "description" : "Bonfire Development CAS Single Sign-On", >> >> "proxyPolicy" : { >> >> "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" >> >> }, >> >> "evaluationOrder" : 0, >> >> "usernameAttributeProvider" : { >> >> "@class" : >> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >> >> }, >> >> "logoutType" : "BACK_CHANNEL", >> >> "attributeReleasePolicy" : { >> >> "@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy" >> >> }, >> >> "accessStrategy" : { >> >> "@class" : >> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", >> >> "enabled" : true, >> >> "ssoEnabled" : true >> >> } >> >> } >> >> >> >> Only problem is that I am still just seeing only the the "user" attribute in >> the validation response. Is there something more I need to configure? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Tuesday, January 5, 2016 at 1:16:21 PM UTC-5, Misagh Moayyed wrote: >> >> Since you are on 4.1, your authentication handler is able to create the >> principal with all the attributes it needs. So, as long as your handler is >> stuffing that attribute into the final Principal that is created, you should >> be able to dictate to a service that the attribute should be used in the >> final response. >> >> >> >> See this as an example of how LDAP AuthN adds attributes: >> >> https://github.com/Jasig/cas/blob/4.1.x/cas-server-support-ldap/src/main/java/org/jasig/cas/authentication/LdapAuthenticationHandler.java#L196 >> >> >> >> Have yours do the same. You simply need to decide what the attribute name >> should be, and stuff it into a map that the principal carries for attributes. >> >> >> >> This is also relevant: >> >> https://jasig.github.io/cas/4.1.x/installation/Configuring-Principal-Resolution.html#principalresolver-vs-authenticationhandler >> >> >> >> From: [email protected] [mailto:[email protected]] On Behalf Of John >> Bruestle >> Sent: Tuesday, January 5, 2016 11:11 AM >> To: CAS Community <[email protected]> >> Cc: [email protected] >> Subject: Re: [cas-user] Returning userid in Validation Response >> >> >> >> Thanks. Yes, that tells me how to configure the response so it will show >> the specific attributes I want, but it doesn't tell me how to create the >> attributes. In my case, I'm getting a userid returned by the store >> procedure I'm calling in my AuthenticationHandler, when authenticating. I'd >> like to add code there, at the point that I know the userid, to store >> (resolve?) it as an attribute. How do I do that? >> >> >> >> >> >> On Tuesday, January 5, 2016 at 12:28:38 PM UTC-5, Misagh Moayyed wrote: >> >> See if this helps: >> >> https://jasig.github.io/cas/4.1.x/integration/Attribute-Release.html >> >> >> >> Section “Principal-Id Attribute”. >> >> >> >> From: [email protected] [mailto:[email protected]] On Behalf Of John >> Bruestle >> Sent: Tuesday, January 5, 2016 9:02 AM >> To: CAS Community <[email protected]> >> Subject: [cas-user] Returning userid in Validation Response >> >> >> >> My system's usernames used for logins are not the same as the unique >> userid's used by the database. In fact, usernames aren't necessarily unique >> and sometimes require the password to determine the specific userid. I need >> my validation response to return the userid. >> >> >> >> I already have a custom AuthenticationHandler, which implements >> AbstractJdbcUsernamePasswordAuthenticationHandler, that is correctly >> authenticating using a MSSQL stored procedure. One of the byproducts of >> calling the procedure is the userid, so that in the AuthenticationHandler we >> do know what the userid is. >> >> >> >> From my reading, it seems that there may be a way to store the userid away >> as an attribute, which could later be used as part of the validation >> response. I'm stuck however trying to figure out how to do this. I would >> appreciate some pointers, especially if they came with the specific XML >> files I need to modify and the functions I should call from within my >> AuthenticationHandler to store the attribute. >> >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. >> >> >> >> >> >> >> -- >> >> John Bruestle >> [email protected] >> (609) 737-7250 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. > > > > -- > John Bruestle > [email protected] > (609) 737-7250 > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
