Hi Jérôme,
I am using the JSON service registry. The service is registered as
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php";,
"name" : "testClient01",
"id" : 1,
"evaluationOrder" : 10,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
"canonicalizationMode" : "NONE"
}
}
So I believe the correct attribute release policy is in place to release all
attributes to the service.
The CAS log file contains this WARN message:
2018-03-24 10:02:59,411 WARN
[org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider] -
<Principal
[AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]
does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among
attributes [{}] so CAS cannot provide the user attribute the service expects.
CAS will instead return the default principal id
[AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==].
Ensure the attribute selected as the username is allowed to be released by the
service attribute release policy.>
So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but
earlier in the log file pac4j logs
2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile: #S
AML2Profile# | id: AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG
tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM
RXjnFqsso5giA== | attributes: {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail
.com], mail=[skora...@gmail.com], urn:oid:0.9.2342.19200300.100.1.1=[scott.koran
da], displayName=[Scott Koranda], givenName=[Scott], urn:oid:2.5.4.42=[Scott], n
otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda], urn:oid:2.16.840.1.11373
0.3.1.241=[Scott Koranda], urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher
icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z, eduPersonPrincipalName
=[scott.kora...@sphericalcowgroup.com], urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions: [] |
isRemembered: false | clientName: null | linkedId: null |>
where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
be populated.
Am I missing something in my JSON service configuration?
Again this is for version 5.1.3.
Thanks,
Scott K
> Hi,
>
> The behavior is to create the CAS principal and attributes from the pac4j
> principal and attributes. So you should get the pac4j attributes at the end.
> Ignore the log about the ClientCredential, the toString method just outputs
> the id (not the attributes).
>
> Is the service configured properly (with ReturnAllAttributeReleasePolicy
> for example)?
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda <skora...@gmail.com> wrote:
>
> > Hi,
> >
> > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > depending on the issue of which binding is being used for the
> > <AuthnRequest>, as detailed in an earlier note to this list).
> >
> > I am delegating authentication to a SAML2 IdP using pac4j.
> >
> > After a successful authentication I see in cas.log
> >
> > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > <profile: #SAML2Profile# | id: AAdzZWNyZXQxQJ7RzalR0+
> > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > 8uqJp0pzRmivQ== |
> > attributes:
> > {urn:oid:0.9.2342.19200300.100.1.3=[skora...@gmail.com], mail=[
> > skora...@gmail.com],
> > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > Koranda], givenName=[Scott],
> > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > uid=[scott.koranda],
> > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.kora...@sphericalcowgroup.com],
> > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > eduPersonPrincipalName=[scott.kora...@sphericalcowgroup.com],
> > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > null |>
> >
> > Those are the values for NameID (transient) and attributes that I
> > expect.
> >
> > The next line in cas.log is
> >
> > 2018-03-22 14:44:46,402 INFO
> > [org.apereo.cas.authentication.AbstractAuthenticationManager] -
> > <Authenticated principal
> > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> > with attributes [{}] via credentials
> > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
> >
> > So it appears that the NameID value (transient) is being used as the
> > principal, but none of the attributes are making it from the pac4j layer
> > into the CAS layer.
> >
> > Is that a correct assessment?
> >
> > If so, how can I
> >
> > a) change what value is used for the principal? I would like to use the
> > value from one of the asserted attributes.
> >
> > b) push the attributes into the CAS layer to make them available for
> > assertion downstream to the CAS client?
> >
> > I have reviewed the documentation for the Delegated/pac4j authentication at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Delegate-
> > Authentication.html
> >
> > and that for Attribute Resolution at
> >
> > https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
> >
> > but I am not able to find a configuration option that appears to tell
> > pac4j to push the attributes into the Authentication object.
> >
> > Thank you for your consideration.
> >
> > Scott K
> >
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to cas-user+unsubscr...@apereo.org.
> > To view this discussion on the web visit https://groups.google.com/a/
> > apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.
> > local.
> >
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxnu8HSxPMQzxLvCW0Ee0-RmBVEGq%2BC67PRqajwz0Q5Tg%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180324102100.s2ymitcj65fpicb4%40paprika.local.
