You should be safe from SAML messes; CASv2 attribute release via SAML 1.1 has been around for years and years; much longer than the CAS server's support for the SAML2 protocol and acting as an IdP/SP. You don't actually have to configure anything at all; just use the other endpoint ( samlValidate instead of serviceValidate).
CASSSOEnabled is for supporting CAS Single Sign Out. If you're not using that, you should not need it. Although leaving it on won't hurt anything, either. Personally, I have always just left it on, and have never had an issue. CASAuthnHeader is an on/off attribute. (See the documentation: https://github.com/apereo/mod_auth_cas). If you want to change the attribute headers to start with something other than "CAS_", that's the CASAttributePrefix directive. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.cu...@newschool.edu On Thu, Oct 24, 2019 at 8:27 AM Alberto Cabello Sánchez <albe...@unex.es> wrote: > Thank you very much. I'll try later, hoping not to end in a SAML mess, as > I usually do. > > Regarding Apache directives, > > * Do I need "CASSSOEnabled On", even if I'm not using SSOut capabilities? > > * Is "CASAuthNHeader On" correct? I just did that and ended with a "On" > header containing only the authenticated username, not what I wanted... > I thought CASAuthNHeader is not an On/Off directive but it takes a string > value to set the header name. > > Regards. > > On Thu, 24 Oct 2019 08:13:18 -0400 > David Curry <david.cu...@newschool.edu> wrote: > > > In your service registry: > > > > { > > *...* > > "attributeReleasePolicy" : { > > "@class" : > "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > > }, > > *...*} > > > > In /etc/httpd/conf.d/cas.conf: > > > > LoadModule auth_cas_module modules/mod_auth_cas.so > > <Directory "/var/www/html/secured-by-cas"> <IfModule > > mod_auth_cas.c> AuthType CAS > > CASAuthNHeader On > > </IfModule> > > Require valid-user</Directory><IfModule mod_auth_cas.c> > > CASLoginUrl https://casserver.example.org/cas/login > > CASValidateUrl https://casserver.example.org/cas/samlValidate > > CASCookiePath /var/cache/httpd/mod_auth_cas/ > > CASValidateSAML On > > CASSSOEnabled On > > CASDebug Off</IfModule> > > > > Note that CASv2 uses SAML 1.1 to return attributes; hence the use of > > samlValidate. This is *not* the same thing as configuring the CAS server > as > > a SAML2 IdP and using SAML instead of CAS to auhenticate. > > > > This will put all your attributes into Apache headers. You can access > them > > in various ways; here's a simple PHP example that you can put into > > /var/www/html/secured-by-cas/index.php or whatever: > > > > <!DOCTYPE html><html lang="en"> > > <head> > > <title>Hello, World!</title> > > <meta charset="utf-8"> > > <meta name="viewport" content="width=device-width, initial-scale=1"> > > <link rel="stylesheet" > > href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> > > </head> > > <body> > > <div class="container"> > > <h1>Secured Content</h1> > > <p><big>This is some secure content. You should not be able to > > see it until you have entered your username and password.</big></p> > > <h2>Attributes Returned by CAS</h2> > > <?php > > echo "<pre>"; > > > > if (array_key_exists('REMOTE_USER', $_SERVER)) { > > echo "REMOTE_USER = " . $_SERVER['REMOTE_USER'] . "<br>"; > > } > > > > $headers = getallheaders(); > > foreach ($headers as $key => $value) { > > if (strpos($key, 'CAS_') === 0) { > > echo substr($key, 4) . " = " . $value . "<br>"; > > } > > } > > > > echo "</pre>"; > > ?> > > </div> > > </body></html> > > > > > > --Dave > > > > -- > > > > DAVID A. CURRY, CISSP > > *DIRECTOR • INFORMATION SECURITY & PRIVACY* > > THE NEW SCHOOL • INFORMATION TECHNOLOGY > > > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > > +1 646 909-4728 • david.cu...@newschool.edu > > > > > > > > On Thu, Oct 24, 2019 at 6:26 AM Alberto Cabello Sánchez <albe...@unex.es > > > > wrote: > > > > > Hi, > > > > > > I'm trying to get attributes released by CAS through mod_auth_cas and > CASv2 > > > protocol (not SAML), but I'm not sure how to achieve it. > > > > > > I set > > > > > > CASAuthNHeader ATTR > > > > > > but it just gives the authenticated user, even if successful login page > > > shows > > > correctly the attributes defined in application.properties. > > > > > > Attribute release policy for that service is > > > "attributeReleasePolicy" : { > > > "@class" : > "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > > > }, > > > > > > My validation URL is > > > > > > CASValidateURL <CAS_URL>/serviceValidate > > > > > > I don't know if this is correct. I found another value when using SAML > > > validation, but I don't know if I have to change this one for CASv2 > (only > > > found this information regarding the SAML version). > > > > > > Thanks in advance, > > > > > > -- > > > Alberto Cabello Sánchez > > > Servicio de Informática > > > Universidad de Extremadura > > > > > > -- > > > - Website: https://apereo.github.io/cas > > > - Gitter Chatroom: https://gitter.im/apereo/cas > > > - List Guidelines: https://goo.gl/1VRrw7 > > > - Contributions: https://goo.gl/mh7qDG > > > --- > > > You received this message because you are subscribed to the Google > Groups > > > "CAS Community" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an > > > email to cas-user+unsubscr...@apereo.org. > > > To view this discussion on the web visit > > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024122634.9aee358820053e3c75081f5e%40unex.es > > > . > > > > > > > -- > > - Website: https://apereo.github.io/cas > > - Gitter Chatroom: https://gitter.im/apereo/cas > > - List Guidelines: https://goo.gl/1VRrw7 > > - Contributions: https://goo.gl/mh7qDG > > --- > > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPmyrxJ%3DS_qSSa%2BHQFgdAFSBofFYLW8QWtVNeiMYNqJzQ%40mail.gmail.com > . > > > -- > Alberto Cabello Sánchez > Servicio de Informática > Universidad de Extremadura > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/20191024142719.b3c4b47cf1135e885259ea14%40unex.es > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO-E68PDBgCLjCSAjHxxMKgvJp%2B6k9kxP%3D1PxxxCszeow%40mail.gmail.com.
