Hi everyone, I'm wondering if anyone else has seen something like this:
(Environment: CAS 5.3.15.1, AD auth, Hazelcast ticket registry.) I had a report of someone not being able to access a particular service after successfully logging in to CAS (using Safari on iPad and iPhone). It application logs led me to believe that it was not getting the expected attributes from CAS/AD. This is what I saw in the cas.log: [result=Service Access Granted,service=https://m*****.aims.edu/s******/i****,principal=SimplePrincipal(id=j***** , attributes={}),requiredAttributes={}] That same user, using another browser was able to access the service, and this is what I then saw in the log: [result=Service Access Granted,service=https://m*****.aims.edu/s******/i****,principal=SimplePrincipal(id=j*****, attributes={is_stu=Y, uid=j*****, upn=j*****@aims.edu, mail=j*****@aims.edu, UDC_IDENTIFIER=********************************, displayName=J*********, givenName=J****, roles=ActiveStudent, cn=*********, memberOf=[CN=All Students,OU=*******,OU=******,OU=******************,DC=aims,DC=edu, CN=roleStudentActive,OU=*******,OU=******,OU=******************,DC=aims,DC=edu], sn=****}),requiredAttributes={}] In the above examples, one session had an empty set of attributes, attributes={}, while the other had a full set of attributes, attributes={...,...,...,...,...etc...}. The only difference that I'm aware of is moving off of Safari on the client side. Why would a specific browser impact the release of attributes from the CAS server, to the service? Is there something I should be looking at on the server configuration? Below is the AD configuration: #Prod Active Directory setup cas.authn.ldap[0].order: 0 cas.authn.ldap[0].name: Prod Active Directory cas.authn.ldap[0].type: AD cas.authn.ldap[0].ldapUrl: ldaps://${dc.1}.aims.edu cas.authn.ldap[0].validatePeriod: 270 cas.authn.ldap[0].poolPassivator: NONE cas.authn.ldap[0].SearchFilter: sAMAccountName={user} cas.authn.ldap[0].baseDn: dc=aims,dc=edu cas.authn.ldap[0].dnFormat: %s...@aims.edu #AD attribute resolution cas.authn.attributeRepository.ldap[0].order: 0 cas.authn.attributeRepository.ldap[0].ldapUrl: ldaps://${dc.1}.aims.edu cas.authn.attributeRepository.ldap[0].validatePeriod: 270 cas.authn.attributeRepository.ldap[0].SearchFilter: sAMAccountName={user} cas.authn.attributeRepository.ldap[0].baseDn: dc=aims,dc=edu cas.authn.attributeRepository.ldap[0].bindDn: cn=***,ou=***,dc=aims,dc=edu cas.authn.attributeRepository.ldap[0].bindCredential: *** cas.authn.attributeRepository.ldap[0].attributes.cn: uid cas.authn.attributeRepository.ldap[0].attributes.displayName: displayName cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName cas.authn.attributeRepository.ldap[0].attributes.mail: mail cas.authn.attributeRepository.ldap[0].attributes.sn: sn cas.authn.attributeRepository.ldap[0].attributes.customPersonCollegeCode: UDC_IDENTIFIER cas.authn.attributeRepository.ldap[0].attributes.customPersonAlternateID: cn cas.authn.attributeRepository.ldap[0].attributes.customPersonEmployeeStatus: is_empl cas.authn.attributeRepository.ldap[0].attributes.customPersonFacStatus: is_facl cas.authn.attributeRepository.ldap[0].attributes.customPersonEmployeeTypeStudent: is_stu cas.authn.attributeRepository.ldap[0].attributes.customPersonStatusStudent: is_stu cas.authn.attributeRepository.ldap[0].attributes.customPersonRoles: roles cas.authn.attributeRepository.ldap[0].attributes.MemberOf: memberOf cas.authn.attributeRepository.ldap[0].attributes.UserPrincipalName: upn The service is defined as: { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://m*****.aims.edu(\\z|/.*)", "name" : "m************", "id" : 15********, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ] }, "evaluationOrder" : 10 } Thanks everyone. Matt Uribe -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/45afb1c6-0f8d-40e0-a722-e945b611ee70%40apereo.org.