I was able to duplicate this. There is a discrepancy between CAS views and SAML views; PrimaryAuthn is used in one but not the other.
Submitted this issue to track: https://github.com/Jasig/cas/issues/722 For the time being, would you be able to point your CAS client to /p3/serviceValidate and not use SAML? That should get you only the attributes you allowed. From: Carlos Olivera [mailto:carlosroliv...@gmail.com] Sent: Tuesday, October 14, 2014 7:45 AM To: cas-user@lists.jasig.org Cc: cas-user@lists.jasig.org; cas-user@lists.jasig.org; daniel.char...@unice.fr Subject: Re: [cas-user] Cas Server 4.0 | Understanding Attribute Release Ok, now I have more information about this issue, I know where the problem is located but I don't know why it happens. I will enumerate all relevant steps from getting the attributes to saml creation of attributes (At least how I think it works) 1. CentralAuthenticationServiceImpl: createTicketGrantingTicket(final Credential... credentials) calls this.authenticationManager.authenticate(credentials) 2. authenticateUsernamePasswordInternal: In this method, I get the user from DB and load all its attributes. I return: createHandlerResult(credential, new SimplePrincipal(username, atributos), null); "atributos" contains all the user attributes. So, from now on, Principal will have all the attributes, in my test "name" and "lastname" 3. CentralAuthenticationServiceImpl: createTicketGrantingTicket(final Credential... credentials) creates the ticket. The ticket has an Authentication object which contains the Principal created. 4. At some point the code hits validateServiceTicket and finishes returning an ImmutableAssertion with the following attributes: * primary (Authentication), it's and Authentication object with a modifiedPrincipal. This particular principal has all the attributes I want because it went through all the necessary filters. * chained (List<Authentication>), this list references to serviceTicket.getGrantingTicket().getChainedAuthentications(), it only has one item, and the principal contained in that Authentication item is the first one created with all the attributes. 5. At last, the code hits Saml10SuccessResponseView.prepareResponse, the first line gets an Authentication object from: * final Authentication authentication = getAssertionFrom(model).getChainedAuthentications().get(0); and from that Authentication retrieves all the attributes. In a simple test, I changed getAssertionFrom(model).getChainedAuthentications().get(0) to getAssertionFrom(model).getPrimaryAuthentication() and it works, now I'm getting only the attributes that I want in the client. I'm sure this isn't a viable solution, because I'm messing with Saml10SuccessResponseView and I shouldn't, but I wanted to know if that was the problem. With all this new information, maybe some of you could tell me what I'm doing wrong and guide me in the right direction. Thanks in advance. El lunes, 13 de octubre de 2014 12:26:34 UTC-2, daniel....@unice.fr <mailto:daniel....@unice.fr> escribió: Me yeah, SAML 1.1 with an function php which does just a getAttribute(). ----------------------------------------------------------------- Daniel CHARLOT D.S.I. Université de Nice Sophia-Antipolis Administrateur Systèmes et Réseaux 28, avenue de Valrose - BP 2135 - 06103 NICE Tél : 04-92-07-67-07 Le 13 oct. 2014 à 16:18, Misagh Moayyed <mmoa...@unicon.net <javascript:> > a écrit : Nothing jumps out at me in your configuration. I’ll run some tests to see if I can duplicate the error and provide an explanation. Do I remember correctly that you said you were using SAML 1.1 to get attributes? From: Carlos Olivera [ <javascript:> mailto:car...@gmail.com] Sent: Monday, October 13, 2014 5:00 AM To: <javascript:> cas-...@lists.jasig.org Cc: <javascript:> daniel....@unice.fr Subject: Re: [cas-user] Cas Server 4.0 | Understanding Attribute Release Sorry, the client code to retrieve the attributes is: AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal(); Map attributes = principal.getAttributes(); 2014-10-13 9:50 GMT-02:00 Carlos Olivera < <javascript:> carlosr...@gmail.com>: I tried to debug the code in order to figure out when the principal was saved with all the attributes. I got the following Assertion (ImmutableAssertion) object created (ServiceValidateController): * primaryAuthentication (ImmutableAuthentication): The Principal has an empty list of attributes, wich is what I need according to my configuation. * chainedAuthentications (List<ImmutableAuthentication>): Return a list with only one item, but in that case the Principal in the Authentication object has ALL the attributes of the user. Is that the standard behaviour in the login proccess? Something I haven't said yet, to retrieve the attributes from the client I use the following code: AttributePrincipal principal = (AttributePrincipal)request. Map attributes = principal.getAttributes(); is that ok??? I don't know if any of that helps, but maybe for an experienced user it could mean something. El lunes, 13 de octubre de 2014 08:51:15 UTC-2, daniel....@unice.fr <mailto:daniel....@unice.fr> escribió: Hi, Here my deployerconfig. I have the same problem than carlos. I dont understand why i have all attributes.. I have tried both with Attributefilter and allowedattributes but its the same. -- You are currently subscribed to cas-...@lists.jasig.org <mailto:cas-...@lists.jasig.org> as: jasig-cas-user...@googlegroups.com <mailto:jasig-cas-user...@googlegroups.com> To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <javascript:> cas-...@lists.jasig.org as: <javascript:> carlosr...@gmail.com To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <javascript:> cas-...@lists.jasig.org as: <javascript:> mmoa...@unicon.net To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <javascript:> cas-...@lists.jasig.org as: <javascript:> daniel....@unice.fr To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org <javascript:> as: jasig-cas-user...@googlegroups.com <javascript:> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user