Hi, I'm working on integration with Azure AD too. I was able to connect wia OpenID. To map attribute You need to define default attribute. Example below:
cas.authn.attributeRepository.merger=REPLACE cas.authn.releaseProtocolAttributes=true cas.authn.attributeRepository.defaultAttributesToRelease=email,given_name,family_name,name After that Attribute mapping start working for me. Can You share configuration how integration with Saml Ip working for You ? With oAuth 2.0 and OpenID I had problem with Azure AD. Redirect_url parameter does not redirect with get parameters, and I had to override default Pac4j configuration. Thanks, Lukas pt., 5 paź 2018 o 23:15 Raghavan TV <tvragha...@gmail.com> napisał(a): > Hi All > > We were able to successfully integrate CAS 5.2.6 using delegated > authentication agianst Azure AD (SAML Idp) > > We are now looking to map the SAML (claims) attributes to more meaningful > names > > Azure SAML Response > > <samlp:Response > Destination=" > https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"; > ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" > InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616" > IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer> > <samlp:Status><samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> > <Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" > IssueInstant="2018-10-04T13:22:05.275Z" > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > <Issuer> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo><CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784"> > <Transforms><Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>HAKazQ1ApJ5w0NtxJs5E/qECDRz8C5xYjHtGDJtuuuULrM07HUjkoenQ4L34UhSO4qm6Jgo0roIP1bQAGDlq0DWmPu7P9nyPSaQbKiBMtDAO759rM/g0neTWWfYYuNfDFauA+CBuu1N2W15h/oYU85z2D//W8RJQDMB7JvkycPgKF9BY0RON+Rlo2qOFsZ8Z6TxNJgyDxPCQG5natKgVoAZ57lC4+giarBQJQgCFGjy5uckKx4tq2qDuSGnyxqpxqSSm0WNhRR4AqY+kMtNLvEv0aimLX5ezzeOTy7yGmnWNf+l8+FAai2US19Fu/G9xeMH9c3MjZ69MujIkFGqc3A==</SignatureValue> > <KeyInfo> > <X509Data> > > <X509Certificate>MIIDBTCCAe2gAwIBAgIQWOnQG5bZiIFAbuSzrxjvbDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDgwMTAwMDAwMFoXDTIwMDgwMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM5fWyNaHwYqnCfxVBEqhfDHKWnNhqmVHH9McYM+bsRs9xl7DkuwsbvD6vOb4rANtVOuly+Eiv/fYhhwn8UFE4kzTRXWREIH+uoFCUDyItwtT8vNn253XzXuFiIeHEkSoHM4vckdP+G7lPEQRZtQjV2TTB/76eBrtnLdP/AAgp4KE4/kjSuKEvn4lwiKtQWYPmCBPh18erwmIFwBramK5CzNKT31ycTYpi3LZpjbIljzW7gzvX9P6/U+dmTmpOufKzJbAnnXKveMcRUZl7wXWxQpyKGAZ0q+8FKIcVbrO0mlbyPuQGynAOofsnhqPQVeO4lbsEgcmL9QXWdxdn6kYsCAwEAAaMhMB8wHQYDVR0OBBYEFMXZ+lF0trQrd4uWs+lQ7h0mls63MA0GCSqGSIb3DQEBCwUAA4IBAQAA/TRp5Cx6WWA04dCvoJNTd80KSO8uGrM2V4VhTlIU1zf8cjMocmBXSA0v+P3onkBHHwnMJs6fWuwcBL4vhqZ4jonPcgl3tUIGgDwywM3V4mC1JLZJXlBZASsAuKmHm6qwge6RVs+Ub1fcpOIViMgW/1Wj1tZm/v/NGHQ+EEJV1UXtE5OnFnzD+9TrfOTI/l855ryKNS6I+XNbtcIJUL87OWkMRgNgjOhBnmldA27sWWkFWfvxB0J7FvOkyWaLlyNe/jqCL3jYXzz0XBNGMbatmeKS3fgIihVUJ32Vt7GXI4ed0HuvhhZ6d+fvMnBPWdfteu018YHKeXyk/c2aegcj</X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > <Subject> > <NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID> > <SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData > InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616" > NotOnOrAfter="2018-10-04T13:27:05.275Z" > Recipient=" > https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML > "/></SubjectConfirmation> > </Subject> > <Conditions NotBefore="2018-10-04T13:17:05.275Z" > NotOnOrAfter="2018-10-04T14:17:05.275Z"> > <AudienceRestriction> > > <Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience> > </AudienceRestriction> > </Conditions> > <AttributeStatement> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/tenantid";> > > <AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/objectidentifier";> > > <AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";> > <AttributeValue>xx...@aaaa.onmicrosoft.com > </AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/displayname";> > <AttributeValue>Firstname Lastname</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/identityprovider";> > <AttributeValue> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/ > </AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/claims/authnmethodsreferences";> > <AttributeValue> > http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password > </AttributeValue> > <AttributeValue> > http://schemas.microsoft.com/claims/multipleauthn</AttributeValue> > </Attribute> > </AttributeStatement> > <AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z" > SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784"> > <AuthnContext> > > <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> > </AuthnContext> > </AuthnStatement> > </Assertion> > </samlp:Response> > > > CAS Client Response > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user> > <cas:attributes> > <cas:isFromNewLogin>true</cas:isFromNewLogin> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572> > > <cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate> > <cas:clientName>MY_SAML</cas:clientName> > > <cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname > Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65> > <cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore> > <cas:credentialType>ClientCredential</cas:credentialType> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > http://schemas.microsoft.com/claims/multipleauthn > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964> > > <cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65> > myuse...@mydomain.onmicrosoft.com > </cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65> > > <cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/ > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572> > <cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter> > > <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> > > <cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex> > </cas:attributes> > </cas:authenticationSuccess> > </cas:serviceResponse> > > > > We tried to use the AttributeResolver on the cas server side configuration > but not working now. > > > > > Any pointers on what is wrong the way we are trying the attribute mapping ? > > Sample attribute resolution mapping that we are trying (groovy map, > attrname map) > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", > "allowedAttributes" : { > "@class" : "java.util.TreeMap", > "name" : "username", > "displayname" : "userdisplayname", > "someattrname" : "groovy { return attributes['name']}" > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572" > : "i > d", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65" > : "name", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964" > : "appId", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573" > : "passwor > dUrl", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65" > : "email", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572" > : "s > erviceUrl", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f7375726e616d65" > : "l > astName", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f676976656e6e616d65" > : "firstName" > } > } > > > Any pointers around attribute mapping will be really helpful > > Thanks > Raghav > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c44685d-7b4b-4a58-b6ee-ff675d975daa%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c44685d-7b4b-4a58-b6ee-ff675d975daa%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_h%3D4EyQ6N9V-LSBp7VfJZjWVkjSceOvbHSvq0YBddbKNw%40mail.gmail.com.
