Hi John,
I removed the claims-map in config and following are my
attributeReleasePolicy
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ChainingAttributeReleasePolicy
policies:
[
java.util.ArrayList
[
{
@class:
org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
principalAttributesRepository:
{
@class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
mergingStrategy: REPLACE
ignoreResolvedAttributes: false
}
order: 0
allowedAttributes:
[
java.util.ArrayList
[
mail
displayName
sAMAccountName
userPrincipalName
]
]
}
{
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
@class: java.util.TreeMap
email: groovy { return attributes[ 'mail' ].get(0) }
email_verified: groovy { if(!attributes[ 'mail'
].isEmpty() && attributes[ 'mail' ].get(0).endsWith('@xxxx.com')){ return
true } else { return false } }
name: groovy { return attributes[ 'displayName'
].get(0) }
nickname: groovy { return attributes[
'sAMAccountName' ].get(0) }
preferred_username: groovy { return attributes[
'userPrincipalName' ].get(0) }
}
principalAttributesRepository:
{
@class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
mergingStrategy: REPLACE
ignoreResolvedAttributes: false
}
order: 1
}
]
]
mergingPolicy: REPLACE
order: 0
}
*also removed the scopes*
scopes:
[
java.util.HashSet
[]
]
在2022年3月9日星期三 UTC+8 23:47:15<John Wagenleitner> 写道:
> Hi Jae,
>
> Thanks for the reply, are you able to share any of your config?
>
> In my case both the IDToken and the userinfo endpoint contain claims such
> as `mail` and `cn`. But the `claims-map` only seems to work for the
> userinfo endpoint, which returns both claims `mail` and `email` and `cn`
> and `name`, though I would have not expected it to include both the
> original CAS attribute (from LDAP such as cn) and the mapped claim (such as
> email) and think in versions prior to v6.4 it returned only `email` as a
> claim name for that particular value.
>
> so the attributes in your claims-map do not have value, so the IDToken
>> does have value.
>
>
> In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does
> include `cn` as a claim. Based on my mapping settings, I would have
> expected the claim name to be `name` and not `cn` both in the IDToken and
> in the userinfo endpoint and this is how it worked prior to v6.4.
>
> John
>
> On Tue, Mar 8, 2022 at 5:55 PM Jae Liu <jae....@gmail.com> wrote:
>
>> I used CAS v6.4 it's ok for me.
>>
>> I think there something wrong with your configuration. You defined the
>> scopes (scopes=openid,profile,emai), CAS will use these as attributes
>> release policy, the scopes email will only release attributes email and
>> email_verified, profile will release name, given_name. family_name, so the
>> attributes in your claims-map do not have value, so the IDToken does have
>> value.
>>
>> 在2022年1月11日星期二 UTC+8 12:28:01<John Wagenleitner> 写道:
>>
>>> In CAS v6.3 (up to and including v6.3.7.4) we used the
>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to
>>> the standard claim names. This mapping worked for both the ID Token and the
>>> UserInfo (`/profile`) endpoint.
>>>
>>> Here are the relevant properties we have set:
>>>
>>> ```
>>> cas.authn.oidc.discovery.scopes=openid,profile,email
>>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
>>> cas.authn.oidc.core.claims-map.email=mail
>>> cas.authn.oidc.core.claims-map.name=cn
>>> cas.authn.oidc.core.claims-map.family_name=sn
>>> cas.authn.oidc.core.claims-map.given_name=givenName
>>> ```
>>>
>>> This mapping is no longer working in CAS v6.4 (and also tested in the
>>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer
>>> contain the mapped names but instead contain the LDAP attribute names such
>>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the
>>> mapped claim names.
>>>
>>> As a possible workaround, I tried using a service definition that
>>> included an `attributeReleasePolicy` using the
>>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID
>>> Token claim names.
>>>
>>> I have reviewed all the OIDC settings and didn't spot anything that
>>> looks like it would address this issue.
>>>
>>> Any help/advice would be appreciated,
>>> John
>>>
>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4881a01b-e747-4844-85e2-281344c42223n%40apereo.org.
