But now how to resolve the problem ? I have to recompile cas-server-support-saml ? Any jar ready to use ? Sorry, but Im not userfriendly with java and I have too many CAS client for change the target url.
Many Thanks. ----------------------------------------------------------------- Daniel CHARLOT D.S.I. Université de Nice Sophia-Antipolis Administrateur Systèmes et Réseaux 28, avenue de Valrose - BP 2135 - 06103 NICE Tél : 04-92-07-67-07 Le 15 oct. 2014 à 12:11, Misagh Moayyed <mmoay...@unicon.net> a écrit : > I was able to duplicate this. There is a discrepancy between CAS views and > SAML views; PrimaryAuthn is used in one but not the other. > > Submitted this issue to track: > https://github.com/Jasig/cas/issues/722 > > For the time being, would you be able to point your CAS client to > /p3/serviceValidate and not use SAML? That should get you only the attributes > you allowed. > > From: Carlos Olivera [mailto:carlosroliv...@gmail.com] > Sent: Tuesday, October 14, 2014 7:45 AM > To: cas-user@lists.jasig.org > Cc: cas-user@lists.jasig.org; cas-user@lists.jasig.org; > daniel.char...@unice.fr > Subject: Re: [cas-user] Cas Server 4.0 | Understanding Attribute Release > > Ok, now I have more information about this issue, I know where the problem is > located but I don't know why it happens. > > I will enumerate all relevant steps from getting the attributes to saml > creation of attributes (At least how I think it works) > CentralAuthenticationServiceImpl: createTicketGrantingTicket(final > Credential... credentials) calls > this.authenticationManager.authenticate(credentials) > authenticateUsernamePasswordInternal: In this method, I get the user from DB > and load all its attributes. I return: createHandlerResult(credential, new > SimplePrincipal(username, atributos), null); "atributos" contains all the > user attributes. So, from now on, Principal will have all the attributes, in > my test "name" and "lastname" > CentralAuthenticationServiceImpl: createTicketGrantingTicket(final > Credential... credentials) creates the ticket. The ticket has an > Authentication object which contains the Principal created. > At some point the code hits validateServiceTicket and finishes returning an > ImmutableAssertion with the following attributes: > primary (Authentication), it's and Authentication object with a > modifiedPrincipal. This particular principal has all the attributes I want > because it went through all the necessary filters. > chained (List<Authentication>), this list references to > serviceTicket.getGrantingTicket().getChainedAuthentications(), it only has > one item, and the principal contained in that Authentication item is the > first one created with all the attributes. > At last, the code hits Saml10SuccessResponseView.prepareResponse, the first > line gets an Authentication object from: > final Authentication authentication = > getAssertionFrom(model).getChainedAuthentications().get(0); and from that > Authentication retrieves all the attributes. > In a simple test, I changed > getAssertionFrom(model).getChainedAuthentications().get(0) > to > getAssertionFrom(model).getPrimaryAuthentication() > > and it works, now I'm getting only the attributes that I want in the client. > > I'm sure this isn't a viable solution, because I'm messing with > Saml10SuccessResponseView and I shouldn't, but I wanted to know if that was > the problem. With all this new information, maybe some of you could tell me > what I'm doing wrong and guide me in the right direction. > > Thanks in advance. > > El lunes, 13 de octubre de 2014 12:26:34 UTC-2, daniel....@unice.fr escribió: > Me yeah, SAML 1.1 with an function php which does just a getAttribute(). > > ----------------------------------------------------------------- > Daniel CHARLOT > D.S.I. Université de Nice Sophia-Antipolis > Administrateur Systèmes et Réseaux > 28, avenue de Valrose - BP 2135 - 06103 NICE > Tél : 04-92-07-67-07 > > > > > > > > > > > > Le 13 oct. 2014 à 16:18, Misagh Moayyed <mmoa...@unicon.net> a écrit : > > > Nothing jumps out at me in your configuration. I’ll run some tests to see if > I can duplicate the error and provide an explanation. > > Do I remember correctly that you said you were using SAML 1.1 to get > attributes? > > From: Carlos Olivera [mailto:car...@gmail.com] > Sent: Monday, October 13, 2014 5:00 AM > To: cas-...@lists.jasig.org > Cc: daniel....@unice.fr > Subject: Re: [cas-user] Cas Server 4.0 | Understanding Attribute Release > > Sorry, the client code to retrieve the attributes is: > > > AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal(); > Map attributes = principal.getAttributes(); > > 2014-10-13 9:50 GMT-02:00 Carlos Olivera <carlosr...@gmail.com>: > I tried to debug the code in order to figure out when the principal was saved > with all the attributes. I got the following Assertion (ImmutableAssertion) > object created (ServiceValidateController): > > primaryAuthentication (ImmutableAuthentication): The Principal has an empty > list of attributes, wich is what I need according to my configuation. > chainedAuthentications (List<ImmutableAuthentication>): Return a list with > only one item, but in that case the Principal in the Authentication object > has ALL the attributes of the user. > Is that the standard behaviour in the login proccess? > > Something I haven't said yet, to retrieve the attributes from the client I > use the following code: > AttributePrincipal principal = (AttributePrincipal)request. > Map attributes = principal.getAttributes(); > > is that ok??? > > I don't know if any of that helps, but maybe for an experienced user it could > mean something. > > El lunes, 13 de octubre de 2014 08:51:15 UTC-2, daniel....@unice.fr escribió: > Hi, > > Here my deployerconfig. I have the same problem than carlos. I dont > understand why i have all attributes.. > I have tried both with Attributefilter and allowedattributes but its the same. > -- > You are currently subscribed to cas-...@lists.jasig.org as: > jasig-cas-user...@googlegroups.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to cas-...@lists.jasig.org as: > carlosr...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to cas-...@lists.jasig.org as: mmoa...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to cas-...@lists.jasig.org as: > daniel....@unice.fr > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-...@lists.jasig.org as: > jasig-cas-user...@googlegroups.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > mmoay...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to cas-user@lists.jasig.org as: > daniel.char...@unice.fr > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
