[cas-user] CAS does not return LDAP attributes for Safari user

Matthew Uribe Wed, 11 Mar 2020 16:03:25 -0700

Hi everyone,

I'm wondering if anyone else has seen something like this:


(Environment: CAS 5.3.15.1, AD auth, Hazelcast ticket registry.)



I had a report of someone not being able to access a particular service 
after successfully logging in to CAS (using Safari on iPad and iPhone). It 
application logs led me to believe that it was not getting the expected 
attributes from CAS/AD. This is what I saw in the cas.log:

[result=Service Access 
Granted,service=https://m*****.aims.edu/s******/i****,principal=SimplePrincipal(id=j*****
 
, attributes={}),requiredAttributes={}]


That same user, using another browser was able to access the service, and 
this is what I then saw in the log:

[result=Service Access 
Granted,service=https://m*****.aims.edu/s******/i****,principal=SimplePrincipal(id=j*****,
 
attributes={is_stu=Y, uid=j*****, upn=j*****@aims.edu, 
mail=j*****@aims.edu, UDC_IDENTIFIER=********************************, 
displayName=J*********, givenName=J****, roles=ActiveStudent, cn=*********, 
memberOf=[CN=All 
Students,OU=*******,OU=******,OU=******************,DC=aims,DC=edu, 
CN=roleStudentActive,OU=*******,OU=******,OU=******************,DC=aims,DC=edu],
 
sn=****}),requiredAttributes={}]


In the above examples, one session had an empty set of attributes, 
attributes={}, while the other had a full set of attributes, 
attributes={...,...,...,...,...etc...}.


The only difference that I'm aware of is moving off of Safari on the client 
side. Why would a specific browser impact the release of attributes from 
the CAS server, to the service? Is there something I should be looking at 
on the server configuration? Below is the AD configuration:


#Prod Active Directory setup
cas.authn.ldap[0].order:                0
cas.authn.ldap[0].name:                 Prod Active Directory
cas.authn.ldap[0].type:                 AD
cas.authn.ldap[0].ldapUrl:              ldaps://${dc.1}.aims.edu
cas.authn.ldap[0].validatePeriod:       270
cas.authn.ldap[0].poolPassivator:       NONE
cas.authn.ldap[0].SearchFilter:         sAMAccountName={user}
cas.authn.ldap[0].baseDn:               dc=aims,dc=edu
cas.authn.ldap[0].dnFormat:             %s...@aims.edu
#AD attribute resolution
cas.authn.attributeRepository.ldap[0].order:            0
cas.authn.attributeRepository.ldap[0].ldapUrl:          
ldaps://${dc.1}.aims.edu
cas.authn.attributeRepository.ldap[0].validatePeriod:   270
cas.authn.attributeRepository.ldap[0].SearchFilter:    
 sAMAccountName={user}
cas.authn.attributeRepository.ldap[0].baseDn:           dc=aims,dc=edu
cas.authn.attributeRepository.ldap[0].bindDn:          
 cn=***,ou=***,dc=aims,dc=edu
cas.authn.attributeRepository.ldap[0].bindCredential:   ***
cas.authn.attributeRepository.ldap[0].attributes.cn:    uid
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName:     givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.sn:    sn
cas.authn.attributeRepository.ldap[0].attributes.customPersonCollegeCode:  
   UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.customPersonAlternateID:  
   cn
cas.authn.attributeRepository.ldap[0].attributes.customPersonEmployeeStatus:  
is_empl
cas.authn.attributeRepository.ldap[0].attributes.customPersonFacStatus:    
   is_facl
cas.authn.attributeRepository.ldap[0].attributes.customPersonEmployeeTypeStudent:
 
is_stu
cas.authn.attributeRepository.ldap[0].attributes.customPersonStatusStudent:  
 is_stu
cas.authn.attributeRepository.ldap[0].attributes.customPersonRoles:        
   roles
cas.authn.attributeRepository.ldap[0].attributes.MemberOf:                  
  memberOf
cas.authn.attributeRepository.ldap[0].attributes.UserPrincipalName:        
   upn


The service is defined as:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://m*****.aims.edu(\\z|/.*)",
  "name" : "m************",
  "id" : 15********,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
 "multifactorPolicy" : {
    "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ]
  },


  "evaluationOrder" : 10
}



Thanks everyone.
Matt Uribe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/45afb1c6-0f8d-40e0-a722-e945b611ee70%40apereo.org.

[cas-user] CAS does not return LDAP attributes for Safari user

Reply via email to