Re: [cas-user] SAML delegated authentication - Authentication attributes missing in the user profile
Hello,
Alright! Would it be possible to access authentication attributes in CAS
during authentication process?
We are using a groovy script to map the final user attributes released in
the Principal and the authentication attributes are not present in the
"currentAttributes"
parameter passed to the script either (guess this is normal).
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://.*";,
"name": "HTTPS",
"id": 1001,
"evaluationOrder": 1,
"usernameAttributeProvider": {
"@class":
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute": "principalId"
},
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.GroovyScriptAttributeReleasePolicy",
"groovyScript":
"classpath:/cas/config/services/mapearAtributos.groovy"
}
}
Besides, I observed that the script runs twice per user authenticated. This
only happens when the username attribute provider is configured to return
an attribute that is already resolved for the principal as seen above. Not
a big deal but, is there a way to prevent the script running twice?
Thank you!!
Best regards,
David.
El martes, 13 de noviembre de 2018, 16:45:50 (UTC+1), leleuj escribió:
>
> Hi,
>
> You are missing nothing. pac4j authentication attributes are not used to
> build the CAS principal, only the user attributes.
> Thanks.
> Best regards,
> Jérôme
>
>
>
> On Tue, Nov 13, 2018 at 3:48 PM David Oteo >
> wrote:
>
>> Hi,
>>
>> We configured CAS 5.2.2 to delegate authentication to an external IdP
>> through SAML. In the SAML response there is an "AuthnContext" tag that does
>> not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j
>> v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that
>> this functionality was added to pac4j v2.2.
>>
>> I see this in the logs:
>>
>> [13/11/18 15:13:42:484 CET] 0147 SystemOut O 2018-11-13
>> 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] - key:
>> authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert]
>> / class java.util.ArrayList>
>>
>> but the attribute is not present in the user profile:
>>
>> [13/11/18 15:13:42:547 CET] 0147 SystemOut O 2018-11-13
>> 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] - > #SAML2Profile# | id: CN=CORPREC FICTICIO ACTIVO, O=EMPTY | attributes:
>> {country=[ES], cif=[Q3890349H], birthdate=[EMPTY], key_usage=[EMPTY],
>> not_before=[2017-03-16T12:15:29Z], subject=[SERIALNUMBER=9988J,
>> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
>> CN=CORPREC FICTICIO ACTIVO,
>> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
>>
>> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
>> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
>> C=ES], tsl=[S], issuer=[CN=CA personal de AAPP vascas (2) - DESARROLLO,
>> OU=AZZ Ziurtagiri publikoa - Certificado publico SCA, O=IZENPE S.A., C=ES],
>> notBefore=2018-11-13T14:13:41.480Z, surname1=[FICTICIO], surname2=[ACTIVO],
>> dni=[9988J], email=EMPTY, tipoAfirma=[0], firmaCualificada=[S],
>> naturalPersonSemanticsIdentifier=[IDCES-9988J],
>> legalPersonSemanticsIdentifier=[VATES-Q3890349H], serial_number=[C6o=],
>> preferencia_otp=[sms], given_name=[CORPREC], pais=[ES],
>> not_after=[2021-03-16T12:15:29Z], register_type=[1],
>> policy_identifier=[1.3.6.1.4.1.14777.104.2], person_status=[PF],
>> organization=[EMPTY], domain=[izenpe], name=[CORPREC FICTICIO ACTIVO],
>> notOnOrAfter=2018-11-13T14:18:41.480Z, family_name=FICTICIO ACTIVO} |
>> roles: [] | permissions: [] | isRemembered: false | clientName: null |
>> linkedId: null |>
>>
>> What am I missing here?
>>
>> Thank you very much once again!!
>>
>> Best regards,
>> David.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit
>>
[cas-user] SAML delegated authentication - Authentication attributes missing in the user profile
Hi, We configured CAS 5.2.2 to delegate authentication to an external IdP through SAML. In the SAML response there is an "AuthnContext" tag that does not appear in the user profile attributes. CAS 5.2.2 seems to use pac4j v2.2.x and here (https://github.com/pac4j/pac4j/pull/961) I can see that this functionality was added to pac4j v2.2. I see this in the logs: [13/11/18 15:13:42:484 CET] 0147 SystemOut O 2018-11-13 15:13:42,339 DEBUG [org.pac4j.saml.profile.SAML2Profile] - key: authnContext / value: [urn:safelayer:tws:policies:authentication:flow:cert] / class java.util.ArrayList> but the attribute is not present in the user profile: [13/11/18 15:13:42:547 CET] 0147 SystemOut O 2018-11-13 15:13:42,340 DEBUG [org.pac4j.saml.client.SAML2Client] - What am I missing here? Thank you very much once again!! Best regards, David. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b40c3d58-1281-43e8-917b-8e76ca204241%40apereo.org.
Re: [cas-user] OAuth delegated authentication - Profile id null
Hi,
Thank you for the quick response. We will try with version 5.3.x.
By the way, in our case access token has to be sent as header. We see that
pac4j v2.x already allows to choose this option:
@Override
protected void signRequest(final OAuth2AccessToken accessToken, final
OAuthRequest request) {
this.configuration.getService().signRequest(accessToken, request);
if (*this.configuration.isTokenAsHeader()*) {
request.addHeader(HttpConstants.AUTHORIZATION_HEADER,
HttpConstants.BEARER_HEADER_PREFIX + accessToken.getAccessToken());
}
if (Verb.POST.equals(request.getVerb())) {
request.addParameter(OAuthConfiguration.OAUTH_TOKEN,
accessToken.getAccessToken());
}
}
Is it possible to configure this in the CAS properties or elsewhere? Right
now we are modifying the code too :-(
Regards,
David.
El jueves, 8 de noviembre de 2018, 15:09:24 (UTC+1), leleuj escribió:
>
> Hi,
>
> Since pac4j v3.2, you can set the element to use as the identifier:
> http://www.pac4j.org/docs/release-notes.html
>
> Unfortunately, CAS v5.2.2 is still based on pac4j v2.x. So the right
> version to use would be the version 5.3.x, given the fact the profileId
> could be set by properties (it's an easy improvement though).
>
> Thanks.
> Best regards,
> Jérôme
>
>
> On Thu, Nov 8, 2018 at 2:18 PM David Oteo >
> wrote:
>
>> Hello,
>>
>> We succesfully configured CAS 5.2.2 to delegate authentication to an
>> external provider through generic OAuth2 properties:
>>
>> #(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization"
>> or "That Organization"
>> cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
>> cas.authn.pac4j.oauth2[0].id=xxx
>> cas.authn.pac4j.oauth2[0].secret=xxx
>> cas.authn.pac4j.oauth2[0].authUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
>> cas.authn.pac4j.oauth2[0].tokenUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
>> cas.authn.pac4j.oauth2[0].profileUrl=
>> https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
>> cas.authn.pac4j.oauth2[0].profileVerb=GET
>> #cas.authn.pac4j.oauth2[0].profilePath=
>>
>> cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
>> cas.authn.pac4j.oauth2[0].customParams.response_type=code
>> cas.authn.pac4j.oauth2[0].customParams.state=123456
>>
>> cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
>> cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
>>
>> cas.authn.pac4j.oauth2[0].profileAttrs.name=name
>> cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
>> cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
>> ...
>>
>> If we don't do anything else, the following error occurs:
>>
>> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
>> 13:28:57,611 DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] -
>> > {sub=978fa4ff4ea06ca1d39f35eb728b5a7e, cif=Q3890349H, country=ES,
>> birthdate=EMPTY, key_usage=EMPTY, subject=SERIALNUMBER=9988J,
>> OID.2.5.4.4=#0C08464943544943494F, OID.2.5.4.42=#0C07434F5250524543,
>> CN=CORPREC FICTICIO ACTIVO,
>> OID.2.5.4.46=#131D2D646E692039393939393938384A202D63696620513338393033343948,
>>
>> OU=Condiciones de uso en www.izenpe.com nola erabili jakiteko,
>> OU=Ziurtagiri korporatibo onartua - Cert. corporativo reconocido, O=IZENPE,
>> C=ES, not_before=2017-03-16T12:15:29Z, tsl=S, issuer=CN=CA personal de AAPP
>> vascas (2) - DESARROLLO, OU=AZZ Ziurtagiri publikoa - Certificado publico
>> SCA, O=IZENPE S.A., C=ES,
>> acr=urn:safelayer:tws:policies:authentication:flow:cert, surname1=FICTICIO,
>> surname2=ACTIVO, email=EMPTY, dni=9988J, tipoAfirma=0,
>> firmaCualificada=S, naturalPersonSemanticsIdentifier=IDCES-9988J,
>> legalPersonSemanticsIdentifier=VATES-Q3890349H, serial_number=C6o=,
>> given_name=CORPREC, pais=ES, not_after=2021-03-16T12:15:29Z,
>> access_token=fc6ccaad705c4363cce28d89b7a3fd45897400c6134afd3c18d2d7a8bc8261a2,
>>
>> register_type=1, policy_identifier=1.3.6.1.4.1.14777.104.2,
>> person_status=PF, domain=izenpe, organization=EMPTY, name=CORPREC FICTICIO
>> ACTIVO, family_name=FICTICIO ACTIVO} | roles: [] | permissions: [] |
>> isRemembered: false | clientName: null | linkedId: null |>
>> [8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08
>> 13:28:57,611 ERROR
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationMan
[cas-user] OAuth delegated authentication - Profile id null
Hello,
We succesfully configured CAS 5.2.2 to delegate authentication to an
external provider through generic OAuth2 properties:
#(Optional) Friendly name for OAuth 2 provider, e.g. "This Organization" or
"That Organization"
cas.authn.pac4j.oauth2[0].clientName=Giltza Oauth 2
cas.authn.pac4j.oauth2[0].id=xxx
cas.authn.pac4j.oauth2[0].secret=xxx
cas.authn.pac4j.oauth2[0].authUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth
cas.authn.pac4j.oauth2[0].tokenUrl=https://eidasdes.izenpe.com:8082/trustedx-authserver/izenpe/oauth/token
cas.authn.pac4j.oauth2[0].profileUrl=https://eidasdes.izenpe.com:8082/trustedx-resources/openid/v1/users/me
cas.authn.pac4j.oauth2[0].profileVerb=GET
#cas.authn.pac4j.oauth2[0].profilePath=
cas.authn.pac4j.oauth2[0].customParams.client_id=xxx
cas.authn.pac4j.oauth2[0].customParams.response_type=code
cas.authn.pac4j.oauth2[0].customParams.state=123456
cas.authn.pac4j.oauth2[0].customParams.acr_values=urn:safelayer:tws:policies:authentication:flow:bakq|urn:safelayer:tws:policies:authentication:flow:cert
cas.authn.pac4j.oauth2[0].customParams.scope=urn:izenpe:identity:global
cas.authn.pac4j.oauth2[0].profileAttrs.name=name
cas.authn.pac4j.oauth2[0].profileAttrs.surname1=surname1
cas.authn.pac4j.oauth2[0].profileAttrs.surname2=surname2
...
If we don't do anything else, the following error occurs:
[8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08 13:28:57,611
DEBUG [org.pac4j.oauth.client.GenericOAuth20Client] -
[8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08 13:28:57,611
ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
]]
of type [ClientCredential].>
[8/11/18 13:28:57:621 CET] 00d3 SystemOut O 2018-11-08 13:28:57,616
INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
]]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Nov 08 13:28:57 CET 2018
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=
[8/11/18 13:28:57:629 CET] 00d3 SystemOut O 2018-11-08 13:28:57,628
ERROR [com.ibm.ws.webcontainer.servlet.ServletWrapper] - entry :
getProfileAttributes().entrySet()) {
final String key = entry.getKey();
final String value = entry.getValue();
convertAndAdd(profile, key, JsonHelper.getElement(json,
value));
}
}
return profile;
}
We think this is very ugly. Is there any other way to solve this problem
without modifying pac4j source code ???
Thank you so much!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04383633-87ab-46ec-abda-70daee84928c%40apereo.org.
