[cas-user] Re: SAMLReponse Add new Attributes
Issue was resolved , mentioned settings are enough so that it will work
пятница, 7 июня 2019 г., 14:41:59 UTC+3 пользователь Andrey Seledkov
написал:
>
> It start to work, when I ran it without Docker, locally
>
> These attributes enough to retrieve data in SAMLReponse
>
> #cas.authn.attributeRepository.jdbc[0].singleRow=true
> #cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
> #
> #cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
> #cas.authn.attributeRepository.jdbc[0].username=USERNAME
> #cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
> #cas.authn.attributeRepository.jdbc[0].user=
> #cas.authn.attributeRepository.jdbc[0].password=
> #cas.authn.attributeRepository.jdbc[0].url=
> #cas.authn.attributeRepository.defaultAttributesToRelease=firstName,lastName
> #
> #cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
> #cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
>
>
> But when I ran it over Docker - nothing
>
> четверг, 6 июня 2019 г., 16:48:36 UTC+3 пользователь Matthew Uribe написал:
>>
>> Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are
>> others here doing so with CAS 6. In any case, I noticed in your log that
>> your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name
>> and related properties set? It looks like it's creating the SAML response,
>> but then it can't find the service ticket, which could explain why your SP
>> is not getting anywhere.
>>
>> "name and prefix are always required settings"
>> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#cas-server
>>
>>
>> On Thursday, June 6, 2019 at 5:37:17 AM UTC-6, Andrey Seledkov wrote:
>>>
>>> In docs
>>>
>>> In order to allow CAS to support and respond to attribute queries, you
>>> need to make sure the generated metadata has the
>>> AttributeAuthorityDescriptor element enabled
>>>
>>> I noticed that when i put
>>>
>>> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>>>
>>>
>>> in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it
>>> is ignoring my flag
>>>
>>> четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал:
Hi Andrey,
I do know for a fact that my CAS 5.3.x is running with SAML as idp and
connecting to other SAML sp just fine (multiple SAML client, including
SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me.
So... Maybe if you still can't successfully connect to SAML, it could
be the following:
- Maybe CAS 6 have bug
- Maybe keycloak doesn't actually return the attribute to you (highly
doubt it)
- Maybe your config is wrong (which is unlikely, from what you provide
it seems the config is ok)
So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a
big jump, so it is possible that there is some obscure bug that discovered
first by you.
- Andy
>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3bc44a62-5dbc-4b81-be57-cc29b162e064%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
It start to work, when I ran it without Docker, locally
These attributes enough to retrieve data in SAMLReponse
#cas.authn.attributeRepository.jdbc[0].singleRow=true
#cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
#
#cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
#cas.authn.attributeRepository.jdbc[0].username=USERNAME
#cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
#cas.authn.attributeRepository.jdbc[0].user=
#cas.authn.attributeRepository.jdbc[0].password=
#cas.authn.attributeRepository.jdbc[0].url=
#cas.authn.attributeRepository.defaultAttributesToRelease=firstName,lastName
#
#cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
#cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
But when I ran it over Docker - nothing
четверг, 6 июня 2019 г., 16:48:36 UTC+3 пользователь Matthew Uribe написал:
>
> Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are
> others here doing so with CAS 6. In any case, I noticed in your log that
> your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name
> and related properties set? It looks like it's creating the SAML response,
> but then it can't find the service ticket, which could explain why your SP
> is not getting anywhere.
>
> "name and prefix are always required settings"
> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#cas-server
>
>
> On Thursday, June 6, 2019 at 5:37:17 AM UTC-6, Andrey Seledkov wrote:
>>
>> In docs
>>
>> In order to allow CAS to support and respond to attribute queries, you
>> need to make sure the generated metadata has the
>> AttributeAuthorityDescriptor element enabled
>>
>> I noticed that when i put
>>
>> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>>
>>
>> in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it is
>> ignoring my flag
>>
>> четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал:
>>>
>>> Hi Andrey,
>>>
>>> I do know for a fact that my CAS 5.3.x is running with SAML as idp and
>>> connecting to other SAML sp just fine (multiple SAML client, including
>>> SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me.
>>>
>>> So... Maybe if you still can't successfully connect to SAML, it could be
>>> the following:
>>> - Maybe CAS 6 have bug
>>> - Maybe keycloak doesn't actually return the attribute to you (highly
>>> doubt it)
>>> - Maybe your config is wrong (which is unlikely, from what you provide
>>> it seems the config is ok)
>>>
>>> So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a
>>> big jump, so it is possible that there is some obscure bug that discovered
>>> first by you.
>>>
>>> - Andy
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f2a77f9-f7ab-431d-a94e-cc0d88dcac31%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
It start to work, when I ran it without Docker, locally
These attributes enough to retrieve data in SAMLReponse
#cas.authn.attributeRepository.jdbc[0].singleRow=true
#cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
#
#cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
#cas.authn.attributeRepository.jdbc[0].username=USERNAME
#cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
#cas.authn.attributeRepository.jdbc[0].user=overlord
#cas.authn.attributeRepository.jdbc[0].password=n3fuF3xu
#cas.authn.attributeRepository.jdbc[0].url=
#cas.authn.attributeRepository.defaultAttributesToRelease=firstName,lastName
#
#cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
#cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
But when I ran it over Docker - nothing
четверг, 6 июня 2019 г., 16:48:36 UTC+3 пользователь Matthew Uribe написал:
>
> Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are
> others here doing so with CAS 6. In any case, I noticed in your log that
> your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name
> and related properties set? It looks like it's creating the SAML response,
> but then it can't find the service ticket, which could explain why your SP
> is not getting anywhere.
>
> "name and prefix are always required settings"
> https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#cas-server
>
>
> On Thursday, June 6, 2019 at 5:37:17 AM UTC-6, Andrey Seledkov wrote:
>>
>> In docs
>>
>> In order to allow CAS to support and respond to attribute queries, you
>> need to make sure the generated metadata has the
>> AttributeAuthorityDescriptor element enabled
>>
>> I noticed that when i put
>>
>> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>>
>>
>> in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it is
>> ignoring my flag
>>
>> четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал:
>>>
>>> Hi Andrey,
>>>
>>> I do know for a fact that my CAS 5.3.x is running with SAML as idp and
>>> connecting to other SAML sp just fine (multiple SAML client, including
>>> SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me.
>>>
>>> So... Maybe if you still can't successfully connect to SAML, it could be
>>> the following:
>>> - Maybe CAS 6 have bug
>>> - Maybe keycloak doesn't actually return the attribute to you (highly
>>> doubt it)
>>> - Maybe your config is wrong (which is unlikely, from what you provide
>>> it seems the config is ok)
>>>
>>> So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a
>>> big jump, so it is possible that there is some obscure bug that discovered
>>> first by you.
>>>
>>> - Andy
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d408045-39b1-403e-8723-e3bdf87bfdf6%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Same as Andy, I have CAS 5 working as SAML IdP. But I assume there are others here doing so with CAS 6. In any case, I noticed in your log that your issuer is "localhost:8443/cas/idp". Do you have your cas.server.name and related properties set? It looks like it's creating the SAML response, but then it can't find the service ticket, which could explain why your SP is not getting anywhere. "name and prefix are always required settings" https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties.html#cas-server On Thursday, June 6, 2019 at 5:37:17 AM UTC-6, Andrey Seledkov wrote: > > In docs > > In order to allow CAS to support and respond to attribute queries, you > need to make sure the generated metadata has the > AttributeAuthorityDescriptor element enabled > > I noticed that when i put > > cas.authn.samlIdp.attributeQueryProfileEnabled=true > > > in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it is > ignoring my flag > > четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал: >> >> Hi Andrey, >> >> I do know for a fact that my CAS 5.3.x is running with SAML as idp and >> connecting to other SAML sp just fine (multiple SAML client, including >> SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me. >> >> So... Maybe if you still can't successfully connect to SAML, it could be >> the following: >> - Maybe CAS 6 have bug >> - Maybe keycloak doesn't actually return the attribute to you (highly >> doubt it) >> - Maybe your config is wrong (which is unlikely, from what you provide it >> seems the config is ok) >> >> So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a big >> jump, so it is possible that there is some obscure bug that discovered >> first by you. >> >> - Andy >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ee93db6-3952-46be-bc33-c142316042ca%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
In docs In order to allow CAS to support and respond to attribute queries, you need to make sure the generated metadata has the AttributeAuthorityDescriptor element enabled I noticed that when i put cas.authn.samlIdp.attributeQueryProfileEnabled=true in idp-metadata.xml tag AttributeAuthorityDescriptor commented and it is ignoring my flag четверг, 6 июня 2019 г., 4:19:39 UTC+3 пользователь Andy Ng написал: > > Hi Andrey, > > I do know for a fact that my CAS 5.3.x is running with SAML as idp and > connecting to other SAML sp just fine (multiple SAML client, including > SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me. > > So... Maybe if you still can't successfully connect to SAML, it could be > the following: > - Maybe CAS 6 have bug > - Maybe keycloak doesn't actually return the attribute to you (highly > doubt it) > - Maybe your config is wrong (which is unlikely, from what you provide it > seems the config is ok) > > So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a big > jump, so it is possible that there is some obscure bug that discovered > first by you. > > - Andy > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edc84853-7aed-4220-a78a-bec1a743fc45%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Hi Andrey, I do know for a fact that my CAS 5.3.x is running with SAML as idp and connecting to other SAML sp just fine (multiple SAML client, including SimpleSAMLPHP), no need modify the generated idp-metadata.xmp for me. So... Maybe if you still can't successfully connect to SAML, it could be the following: - Maybe CAS 6 have bug - Maybe keycloak doesn't actually return the attribute to you (highly doubt it) - Maybe your config is wrong (which is unlikely, from what you provide it seems the config is ok) So, maybe try using CAS 5.3.x and see if that work? CAS 5 to 6 have a big jump, so it is possible that there is some obscure bug that discovered first by you. - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01d42a53-9112-44dc-9b47-9c53a1ca4271%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
The same with https среда, 5 июня 2019 г., 14:53:40 UTC+3 пользователь Andy Ng написал: > > From your log, seems like you are using http, is that true? If yes, try > changing to https, CAS doesn't work well with http. -Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/23e12fd4-03e7-4f73-8aa8-2b26a7be02c6%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
>From your log, seems like you are using http, is that true? If yes, try >changing to https, CAS doesn't work well with http. -Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7232af48-f631-4442-88e1-5514690a4402%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
It is my first,
Keycloak provide me
http://schemas.xmlsoap.org/ws/2003/07/secext";>
http://bla-bla/broker/saml/endpoint"/>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
http://bla-bla/broker/saml/endpoint";
index="1" isDefault="true" />
what I noticed , I caught exception
WHO: fberdugo
WHAT:
[issuer=http://localhost:8443/cas/idp,destination=http://bla-bla/broker/saml/endpoint]
ACTION: SAML2_RESPONSE_CREATED
APPLICATION: CAS
WHEN: Wed Jun 05 10:06:03 UTC 2019
CLIENT IP ADDRESS: 192.168.1.3
SERVER IP ADDRESS: 172.21.82.63
=
>
2019-06-05 10:06:03,986 INFO
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController]
-
2019-06-05 10:06:04,417 INFO
[org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController]
-
2019-06-05 10:06:04,472 WARN
[org.apereo.cas.DefaultCentralAuthenticationService] -
2019-06-05 10:06:04,475 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
2019-06-05 10:06:04,504 ERROR
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]]
-
org.jasig.cas.client.validation.TicketValidationException: Ticket
'ST-1-93FkJllO7deg1GefbwSXjeNeQ7w6e26c3311c11' not recognized
at
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84)
~[cas-client-core-3.5.1.jar!/:3.5.1]
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198)
~[cas-client-core-3.5.1.jar!/:3.5.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.validateRequestAndBuildCasAssertion(SSOSamlProfileCallbackHandlerController.java:132)
~[cas-server-support-saml-idp-web-6.0.3-SNAPSHOT.jar!/:6.0.3-SNAPSHOT]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController.handleCallbackProfileRequest(SSOSamlProfileCallbackHandlerController.java:119)
~[cas-server-support-saml-idp-web-6.0.3-SNAPSHOT.jar!/:6.0.3-SNAPSHOT]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
And do I need to do somehting with idp-metadata.xml , which was generated
automatically by CAS?
вторник, 4 июня 2019 г., 20:12:16 UTC+3 пользователь Matthew Uribe написал:
>
> Do you have any other SPs working with this CAS instance, or is this your
> first?
>
>
> On Tuesday, June 4, 2019 at 3:33:55 AM UTC-6, Andrey Seledkov wrote:
>>
>> Nothing helps
>>
>> my property file has next properties
>>
>> cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
>> cas.authn.samlIdp.scope=${SERVER_NAME}
>> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
>> cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
>> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>>
>>
>>
>>
>> вторник, 4 июня 2019 г., 4:20:53 UTC+3 пользователь Andy Ng написал:
>>>
>>> Hi Andrey,
>>>
>>> Can you try ReturnAllAttributeReleasePolicy, see if is the policy that
>>> have problem, or is the release of attribute not correct.
>>>
>>> https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all
>>>
>>>
>>>
>>> Cheers!
>>> - Andy
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea5a957e-93cb-43ce-ba54-66037a9324cb%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Do you have any other SPs working with this CAS instance, or is this your
first?
On Tuesday, June 4, 2019 at 3:33:55 AM UTC-6, Andrey Seledkov wrote:
>
> Nothing helps
>
> my property file has next properties
>
> cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
> cas.authn.samlIdp.scope=${SERVER_NAME}
> cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
> cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
> cas.authn.samlIdp.attributeQueryProfileEnabled=true
>
>
>
>
> вторник, 4 июня 2019 г., 4:20:53 UTC+3 пользователь Andy Ng написал:
>>
>> Hi Andrey,
>>
>> Can you try ReturnAllAttributeReleasePolicy, see if is the policy that
>> have problem, or is the release of attribute not correct.
>>
>> https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all
>>
>>
>>
>> Cheers!
>> - Andy
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe33c87d-d2da-481e-94b7-f63b63876d49%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Nothing helps
my property file has next properties
cas.authn.samlIdp.entityId=${cas.server.prefix}/idp
cas.authn.samlIdp.scope=${SERVER_NAME}
cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
cas.authn.samlIdp.attributeQueryProfileEnabled=true
вторник, 4 июня 2019 г., 4:20:53 UTC+3 пользователь Andy Ng написал:
>
> Hi Andrey,
>
> Can you try ReturnAllAttributeReleasePolicy, see if is the policy that
> have problem, or is the release of attribute not correct.
>
> https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all
>
>
>
> Cheers!
> - Andy
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8c549f6-ec35-4b5b-ab66-258cb3dffd6b%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Hi Andrey, Can you try ReturnAllAttributeReleasePolicy, see if is the policy that have problem, or is the release of attribute not correct. https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html#return-all Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7422086d-1415-438a-9047-6c75eccad117%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
I haven't tried CAS 6 yet, but according to the documentation, at least for
the attribute release, it's pretty much the same as the version I'm using.
Since you are using the "Return Allowed" policy, your json (attribute
portion) might need to look more like this:
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
"lastName" ] ]
}
Otherwise try the Mapped Attribute release policy, so that you may send the
attributes to the SP using the naming in the OASIS Standard, which would
look like this:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"firstName" : "urn:oid:2.5.4.42",
"lastName" : "urn:oid:2.5.4.4"
}
}
https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Policies.html
On Monday, June 3, 2019 at 12:03:27 PM UTC-6, Andrey Seledkov wrote:
>
> Cas version is 6
>
>
> Nothing changed , i got SamlResponse without new attributes
>
> Maybe i miss something
>
>
> понедельник, 3 июня 2019 г., 18:39:20 UTC+3 пользователь Matthew Uribe
> написал:
>>
>> Andrey,
>>
>> cn and mail are attributes from my LDAP that are being released to the
>> SP. Based on the Internet2 attribute release policy, firstName (givenName)
>> is urn:oid:2.5.4.42, while lastName (sn) is urn:oid:2.5.4.4
>> https://www.internet2.edu/help/attribute-release-policy/
>>
>> If your SP is looking for specific attributes, they may need to be mapped
>> according to this Internet2 standard.
>>
>> Hopefully that helps.
>>
>> On Monday, June 3, 2019 at 8:37:39 AM UTC-6, Andrey Seledkov wrote:
>>>
>>> I will try , but what is 'cn' and 'mail' here?
>>>
>>> For my task I need to put in SamlResponse fisrtName and lastName which I
>>> retrieved from database
>>>
>>> понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe
>>> написал:
Andrey,
I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I
have the following json for one of our SPs:
{
"@class" :
"org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "service-id-here",
"name" : "name-here",
"id" : 1001,
"metadataLocation" : "https://service.address/SAML/Metadata";,
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "urn:oid:2.5.4.3",
"mail" : "urn:oid:0.9.2342.19200300.100.1.3"
}
},
"evaluationOrder" : 25
}
Have you tried using the Attribute Resolution & Release feature in the
CAS Dashboard to see what is being released by CAS?
Matt
On Monday, June 3, 2019 at 5:53:36 AM UTC-6, Andrey Seledkov wrote:
>
> Hi team.
>
> When I worked with with SAML between CAS as IDp and Keycloak as SP , i
> cannot add addition attribute like firstName, lastName
>
> my cas seetings
>
> cas.authn.attributeRepository.jdbc[0].singleRow=true
> cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
>
> cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE
> {0}
> cas.authn.attributeRepository.jdbc[0].username=USERNAME
>
> cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
> cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}
> cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}
> cas.authn.attributeRepository.jdbc[0].url=${DB_URL}
>
> cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
> cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
>
> my json file
>
> {
> "@class":
> "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId": "service-id-here",
> "name": "name-here",
> "id": 1010,
> "evaluationOrder": 1,
> "metadataLocation": "file:/etc/cas/saml/saml.xml",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "firstName",
> "lastName"
> ]
> }
> }
>
>
> But when i redirect to Keycloak I dont see any additional attributes
> in SAMLReponse, could you please assist
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
[cas-user] Re: SAMLReponse Add new Attributes
Cas version is 6
Nothing changed , i got SamlResponse without new attributes
Maybe i miss something
понедельник, 3 июня 2019 г., 18:39:20 UTC+3 пользователь Matthew Uribe
написал:
>
> Andrey,
>
> cn and mail are attributes from my LDAP that are being released to the SP.
> Based on the Internet2 attribute release policy, firstName (givenName)
> is urn:oid:2.5.4.42, while lastName (sn) is urn:oid:2.5.4.4
> https://www.internet2.edu/help/attribute-release-policy/
>
> If your SP is looking for specific attributes, they may need to be mapped
> according to this Internet2 standard.
>
> Hopefully that helps.
>
> On Monday, June 3, 2019 at 8:37:39 AM UTC-6, Andrey Seledkov wrote:
>>
>> I will try , but what is 'cn' and 'mail' here?
>>
>> For my task I need to put in SamlResponse fisrtName and lastName which I
>> retrieved from database
>>
>> понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe
>> написал:
>>>
>>> Andrey,
>>>
>>> I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I
>>> have the following json for one of our SPs:
>>>
>>> {
>>> "@class" :
>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>> "serviceId" : "service-id-here",
>>> "name" : "name-here",
>>> "id" : 1001,
>>> "metadataLocation" : "https://service.address/SAML/Metadata";,
>>> "attributeReleasePolicy" : {
>>> "@class" :
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>> "allowedAttributes" : {
>>> "@class" : "java.util.TreeMap",
>>> "cn" : "urn:oid:2.5.4.3",
>>> "mail" : "urn:oid:0.9.2342.19200300.100.1.3"
>>> }
>>> },
>>> "evaluationOrder" : 25
>>> }
>>>
>>>
>>> Have you tried using the Attribute Resolution & Release feature in the
>>> CAS Dashboard to see what is being released by CAS?
>>>
>>> Matt
>>>
>>>
>>> On Monday, June 3, 2019 at 5:53:36 AM UTC-6, Andrey Seledkov wrote:
Hi team.
When I worked with with SAML between CAS as IDp and Keycloak as SP , i
cannot add addition attribute like firstName, lastName
my cas seetings
cas.authn.attributeRepository.jdbc[0].singleRow=true
cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
cas.authn.attributeRepository.jdbc[0].username=USERNAME
cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}
cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}
cas.authn.attributeRepository.jdbc[0].url=${DB_URL}
cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
my json file
{
"@class":
"org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "service-id-here",
"name": "name-here",
"id": 1010,
"evaluationOrder": 1,
"metadataLocation": "file:/etc/cas/saml/saml.xml",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"firstName",
"lastName"
]
}
}
But when i redirect to Keycloak I dont see any additional attributes
in SAMLReponse, could you please assist
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48af023f-c83a-429e-9348-fd2a00387ae5%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Andrey,
cn and mail are attributes from my LDAP that are being released to the SP.
Based on the Internet2 attribute release policy, firstName (givenName)
is urn:oid:2.5.4.42, while lastName (sn) is urn:oid:2.5.4.4
https://www.internet2.edu/help/attribute-release-policy/
If your SP is looking for specific attributes, they may need to be mapped
according to this Internet2 standard.
Hopefully that helps.
On Monday, June 3, 2019 at 8:37:39 AM UTC-6, Andrey Seledkov wrote:
>
> I will try , but what is 'cn' and 'mail' here?
>
> For my task I need to put in SamlResponse fisrtName and lastName which I
> retrieved from database
>
> понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe
> написал:
>>
>> Andrey,
>>
>> I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I
>> have the following json for one of our SPs:
>>
>> {
>> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>> "serviceId" : "service-id-here",
>> "name" : "name-here",
>> "id" : 1001,
>> "metadataLocation" : "https://service.address/SAML/Metadata";,
>> "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>> "@class" : "java.util.TreeMap",
>> "cn" : "urn:oid:2.5.4.3",
>> "mail" : "urn:oid:0.9.2342.19200300.100.1.3"
>> }
>> },
>> "evaluationOrder" : 25
>> }
>>
>>
>> Have you tried using the Attribute Resolution & Release feature in the
>> CAS Dashboard to see what is being released by CAS?
>>
>> Matt
>>
>>
>> On Monday, June 3, 2019 at 5:53:36 AM UTC-6, Andrey Seledkov wrote:
>>>
>>> Hi team.
>>>
>>> When I worked with with SAML between CAS as IDp and Keycloak as SP , i
>>> cannot add addition attribute like firstName, lastName
>>>
>>> my cas seetings
>>>
>>> cas.authn.attributeRepository.jdbc[0].singleRow=true
>>> cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
>>>
>>> cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
>>> cas.authn.attributeRepository.jdbc[0].username=USERNAME
>>>
>>> cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
>>> cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}
>>> cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}
>>> cas.authn.attributeRepository.jdbc[0].url=${DB_URL}
>>>
>>> cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
>>> cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
>>>
>>> my json file
>>>
>>> {
>>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>> "serviceId": "service-id-here",
>>> "name": "name-here",
>>> "id": 1010,
>>> "evaluationOrder": 1,
>>> "metadataLocation": "file:/etc/cas/saml/saml.xml",
>>> "attributeReleasePolicy": {
>>> "@class":
>>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>>> "allowedAttributes": [
>>> "firstName",
>>> "lastName"
>>> ]
>>> }
>>> }
>>>
>>>
>>> But when i redirect to Keycloak I dont see any additional attributes in
>>> SAMLReponse, could you please assist
>>>
>>>
>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1b4df77-3166-4c58-a0a1-0b2489f9a04d%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
I will try , but what is 'cn' and 'mail' here?
For my task I need to put in SamlResponse fisrtName and lastName which I
retrieved from database
понедельник, 3 июня 2019 г., 17:00:20 UTC+3 пользователь Matthew Uribe
написал:
>
> Andrey,
>
> I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I
> have the following json for one of our SPs:
>
> {
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "service-id-here",
> "name" : "name-here",
> "id" : 1001,
> "metadataLocation" : "https://service.address/SAML/Metadata";,
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "cn" : "urn:oid:2.5.4.3",
> "mail" : "urn:oid:0.9.2342.19200300.100.1.3"
> }
> },
> "evaluationOrder" : 25
> }
>
>
> Have you tried using the Attribute Resolution & Release feature in the CAS
> Dashboard to see what is being released by CAS?
>
> Matt
>
>
> On Monday, June 3, 2019 at 5:53:36 AM UTC-6, Andrey Seledkov wrote:
>>
>> Hi team.
>>
>> When I worked with with SAML between CAS as IDp and Keycloak as SP , i
>> cannot add addition attribute like firstName, lastName
>>
>> my cas seetings
>>
>> cas.authn.attributeRepository.jdbc[0].singleRow=true
>> cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
>>
>> cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
>> cas.authn.attributeRepository.jdbc[0].username=USERNAME
>> cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
>> cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}
>> cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}
>> cas.authn.attributeRepository.jdbc[0].url=${DB_URL}
>>
>> cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
>> cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
>>
>> my json file
>>
>> {
>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>> "serviceId": "service-id-here",
>> "name": "name-here",
>> "id": 1010,
>> "evaluationOrder": 1,
>> "metadataLocation": "file:/etc/cas/saml/saml.xml",
>> "attributeReleasePolicy": {
>> "@class":
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "allowedAttributes": [
>> "firstName",
>> "lastName"
>> ]
>> }
>> }
>>
>>
>> But when i redirect to Keycloak I dont see any additional attributes in
>> SAMLReponse, could you please assist
>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd47ba30-ca94-489c-ac06-6f81df2dd9e5%40apereo.org.
[cas-user] Re: SAMLReponse Add new Attributes
Andrey,
I don't know what version of CAS you're on, but for me, on CAS 5.2.x, I
have the following json for one of our SPs:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "service-id-here",
"name" : "name-here",
"id" : 1001,
"metadataLocation" : "https://service.address/SAML/Metadata";,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "urn:oid:2.5.4.3",
"mail" : "urn:oid:0.9.2342.19200300.100.1.3"
}
},
"evaluationOrder" : 25
}
Have you tried using the Attribute Resolution & Release feature in the CAS
Dashboard to see what is being released by CAS?
Matt
On Monday, June 3, 2019 at 5:53:36 AM UTC-6, Andrey Seledkov wrote:
>
> Hi team.
>
> When I worked with with SAML between CAS as IDp and Keycloak as SP , i
> cannot add addition attribute like firstName, lastName
>
> my cas seetings
>
> cas.authn.attributeRepository.jdbc[0].singleRow=true
> cas.authn.attributeRepository.jdbc[0].requireAllAttributes=true
>
> cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM ml_emp WHERE {0}
> cas.authn.attributeRepository.jdbc[0].username=USERNAME
> cas.authn.attributeRepository.jdbc[0].driverClass=oracle.jdbc.OracleDriver
> cas.authn.attributeRepository.jdbc[0].user=${DB_USERNAME}
> cas.authn.attributeRepository.jdbc[0].password=${DB_PASSWORD}
> cas.authn.attributeRepository.jdbc[0].url=${DB_URL}
>
> cas.authn.attributeRepository.jdbc[0].attributes.FIRST_NAME=firstName
> cas.authn.attributeRepository.jdbc[0].attributes.LAST_NAME=lastName
>
> my json file
>
> {
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId": "service-id-here",
> "name": "name-here",
> "id": 1010,
> "evaluationOrder": 1,
> "metadataLocation": "file:/etc/cas/saml/saml.xml",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "firstName",
> "lastName"
> ]
> }
> }
>
>
> But when i redirect to Keycloak I dont see any additional attributes in
> SAMLReponse, could you please assist
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b55cb7e-149c-4b97-a91d-bd755df4c4ba%40apereo.org.
