Re: [cas-user] Stumped on attribute release in CAS 5.1

Mon, 26 Feb 2018 12:50:12 -0800 

If you want to release attributes under CAS 2.0 protocol, here (
https://kogentadono.com/2017/08/30/attribute-release-cas-5-1-x-for-cas-2-0-protocol/)
is a post I wrote up a while back.

Also, attached is the file you'll need to put in your war overlay to make
release work.  It should live in src/main/resources/templates/protocol/2.0

--Mike K.



On Mon, Feb 26, 2018 at 9:30 AM, Ray Bon <r...@uvic.ca> wrote:

> Toby,
>
> It looks like your client is using CAS 2.0 protocol.
> Attribute release can be done with SAML 1.1 and CAS 3.0 protocol.
>
> Ray
>
> On Mon, 2018-02-26 at 07:41 -0800, Toby Archer wrote:
>
> With the addition of those loggers and a little tweeking I got some info
> that should be useful. Firstly:
>
> 2018-02-26 15:36:46,731 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute
> policy [ReturnAllowedAttributeReleasePolicy] to process attributes for
> [toben.archer]>
> 2018-02-26 15:36:46,731 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [
> ReturnAllowedAttributeReleasePolicy] allows release of [{}] for
> [toben.archer]>
> 2018-02-26 15:36:46,732 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge
> policy attributes and default attributes>
> 2018-02-26 15:36:46,732 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default
> attribute policy attributes>
> 2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Located application
> context. Retrieving default attributes for release, if any>
> 2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes
> for release are: [[cn, givenName, uid, affiliation, mail]]>
> 2018-02-26 15:36:46,733 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added
> default attribute for release: [cn]>
> 2018-02-26 15:36:46,734 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added
> default attribute for release: [givenName]>
> 2018-02-26 15:36:46,744 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added
> default attribute for release: [uid]>
> 2018-02-26 15:36:46,744 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added
> default attribute for release: [mail]>
> 2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes
> found to be released are [{cn=[Toben Archer, Toben D Archer],
> givenName=Toben, mail=toben.arc...@usd.edu, uid=uid}]>
> 2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default
> attributes first to the released set of attributes>
> 2018-02-26 15:36:46,745 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy
> attributes to the released set of attributes>
> 2018-02-26 15:36:46,746 DEBUG [org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of
> attributes allowed are: [{cn=[Toben Archer, Toben D Archer],
> givenName=Toben, mail=toben.arc...@usd.edu, uid=uid}]>
>
> That looks good! That looks like everything I wanted it to say. excep this
> part "Attribute policy [ReturnAllowedAttributeReleasePolicy] allows
> release of [{}] for [toben.archer]" seems to contradict this part "Final
> collection of attributes allowed are: [{cn=[Toben Archer, Toben D Archer],
> givenName=Toben, mail=toben.arc...@usd.edu, uid=uid}]". But anyway, it
> looks like the attributes that I should be seeing in my cas request are
> there, cn, givenName, and mail all look right (uid=uid is wrong, but it
> should at least be present).
>
> I had some concern that maybe something was going wrong in my library, so
> I tweaked it to give me the raw XML output:
>
> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
>     <cas:authenticationSuccess>
>         <cas:user>toben.archer</cas:user>
>         </cas:authenticationSuccess>
> </cas:serviceResponse>
>
> The attributes should be in this xml right?
>
> On Friday, February 23, 2018 at 4:28:55 PM UTC-6, rbon wrote:
>
> In the project in etc/cas/config there is a log4j.xml.
>
> When you say 'gradle to build CAS' do you mean the
> cas-gradle-overlay-template or cas proper? Use an overlay unless you are
> planning on developing CAS. https://github.com/apereo/
>
> Ray
>
> On Fri, 2018-02-23 at 13:57 -0800, Toby Archer wrote:
>
> That sounds like a good idea. Pardon my ignorance, but I'm not sure where
> to place those logger definitions. I'm using gradle to build CAS and I
> don't see any xml files in the build process or in the configuration files.
>
> On Friday, February 23, 2018 at 3:39:31 PM UTC-6, rbon wrote:
>
> Toby,
>
> You may need to adjust your service (service registry) to allow the
> attributes to be released.
> These log settings may be useful:
>         <!-- WARN DN resolution failed    - TODO investigate this
>                   Requested LDAP attribute [???] ... -->
>         <AsyncLogger name="org.apereo.cas.authentic
> ation.LdapAuthenticationHandler" level="debug" />
>
>         <!-- DEBUG Found principal attributes [...] for [username]
>                    Attribute policy [???] allows release of [...] for
> [username]
>                    Final collection of attributes allowed are: [...] -->
>         <AsyncLogger name="org.apereo.cas.services.
> AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>
>
> Ray
>
> On Fri, 2018-02-23 at 12:36 -0800, Toby Archer wrote:
>
> I'm trying to figure out how to do attribute release and haven't gotten
> anywhere. I've read all the pages like this one:
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Rel
> ease-Policies.html and tried searching this mailing list and followed
> instructions like in this one: https://groups.google.com/a/ap
> ereo.org/forum/#!searchin/cas-user/attribute/cas-user/VVaONI
> p1Ts0/Hedpv2uGAwAJ
>
> Right now I'm using ldap for both authentication and attributes. The
> relevant part of my cas.properties file looks like this:
>
> # LDAP Auth
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://usd-ldap.usd.edu
> cas.authn.ldap[0].baseDn=o=usd.edu
> cas.authn.ldap[0].userFilter=uid=%u
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].bindDn=cn=Directory Manager
> cas.authn.ldap[0].bindCredential=password
> cas.authn.ldap[0].userFilter=uid={user}
> cas.authn.ldap[0].dnFormat=uid=%s,ou=people
> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
> cas.authn.ldap[0].keyStorePassword=password
> cas.authn.ldap[0].name=dev-ldap7-1
>
> cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
> cas.authn.ldap[0].principalAttributeList=cn,sn,mail
>
> cas.authn.attributeRepository.defaultAttributesToRelease=cn,sn,mail
>
> cas.authn.attributeRepository.stub.attributes.uid=uid
> cas.authn.attributeRepository.stub.attributes.displayName=displayName
> cas.authn.attributeRepository.stub.attributes.cn=commonName
>
> cas.authn.attributeRepository.ldap[0].type=AUTHENTICATED
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://usd-ldap.usd.edu
> cas.authn.attributeRepository.ldap[0].baseDn=o=usd.edu
> cas.authn.attributeRepository.ldap[0].userFilter=uid=%u
> cas.authn.attributeRepository.ldap[0].subtreeSearch=true
> cas.authn.attributeRepository.ldap[0].bindDn=cn=Directory Manager
> cas.authn.attributeRepository.ldap[0].bindCredential=password
> cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
> cas.authn.attributeRepository.ldap[0].dnFormat=uid=%s,uo=people
> cas.authn.attributeRepository.ldap[0].keystore=file:/etc/cas/thekeystore
> cas.authn.attributeRepository.ldap[0].keyStorePassword=password
> cas.authn.attributeRepository.ldap[0].name=dev-ldap7-1
>
> cas.authn.attributeRepository.ldap[0].uid=uid
> cas.authn.attributeRepository.ldap[0].displayName=displayName
> cas.authn.attributeRepository.ldap[0].cn=commonName
> cas.authn.attributeRepository.ldap[0].mail=mail
> cas.authn.attributeRepository.ldap[0].sn=sn
>
> There are configurations for a couple of different attempts, but
> regardless of what I do get back no attributes. The docs talk about the
> personDirectory but either don't give instructions on how to configure it
> or give instructions for cas 4. I'm at a bit of a loss on what to do. Any
> advise out there?
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
> 019 | rb...@uvic.ca
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
> 019 | rb...@uvic.ca
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
> 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1519666220.1801.11.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519666220.1801.11.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq6NQM0O8xkfY8g1orfgV5T%3DCHVv9c8Un4pOCdHAMqLp1w%40mail.gmail.com.
[[${principal.id}]]
<[[${#strings.prepend(key, 'cas:')}]]>[[${remBothBraces}]]<[[${#strings.prepend(key, '/cas:')}]]> <[[${#strings.prepend(key, 'cas:')}]]>[[${value}]]<[[${#strings.prepend(key, '/cas:')}]]>
[[${pgtIou}]] [[${proxy.principal.id}]]

Reply via email to