RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-23 Thread Paul B. Henson 
 From: William G. Thompson, Jr. [mailto:wgt...@gmail.com]
 Sent: Tuesday, October 22, 2013 9:18 AM

 Sorry I was clearer...the pointer to CAS-1283 was a more of a
 suggestion to engage on that ticket...presumably to incorporate your
 enhancements.

Ah, okay; I updated the ticket with a comment indicating it currently does not 
handle multivalued attributes and included the sample code adding an additional 
loop to avoid flattening them out.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-23 Thread William G. Thompson, Jr. 
Excellent.  I've re-opened this issue to consider Paul's enhancement.

On Wed, Oct 23, 2013 at 12:48 PM, Paul B. Henson hen...@csupomona.edu wrote:
 From: William G. Thompson, Jr. [mailto:wgt...@gmail.com]
 Sent: Tuesday, October 22, 2013 9:18 AM

 Sorry I was clearer...the pointer to CAS-1283 was a more of a
 suggestion to engage on that ticket...presumably to incorporate your
 enhancements.

 Ah, okay; I updated the ticket with a comment indicating it currently does 
 not handle multivalued attributes and included the sample code adding an 
 additional loop to avoid flattening them out.

 --
 You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-22 Thread William G. Thompson, Jr. 
Sorry I was clearer...the pointer to CAS-1283 was a more of a
suggestion to engage on that ticket...presumably to incorporate your
enhancements.

Best,
Bill


On Fri, Oct 11, 2013 at 10:02 PM, Paul B. Henson hen...@csupomona.edu wrote:
 From: William G. Thompson, Jr. [mailto:wgt...@gmail.com]
 Sent: Friday, October 11, 2013 5:36 PM

 You'll want to take a look at this:  https://issues.jasig.org/browse/CAS-1283

 That code looks suspiciously similar to the code on the wiki; I don't really 
 see how that would not also flatten out multivalued attributes into a comma 
 separated list as opposed to enumerating them separately?

 I guess the jsp foreach is smart enough to do the right thing if you give it 
 just a simple string rather than a collection, as:

 c:forEach var=attr 
 items=${auth.principal.attributes} 
 c:forEach var=attrval 
 items=${attr.value} 
 
 cas:${fn:escapeXml(attr.key)}${fn:escapeXml(attrval)}/cas:${fn:escapeXml(attr.key)}
 /c:forEach
 /c:forEach

 seems to do what I want:

 cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
 cas:authenticationSuccess
 cas:userhenson/cas:user
 cas:attributes
 cas:snHenson/cas:sn
 cas:givenNamePaul/cas:givenName
 
 cas:csupomonaEduPersonAffiliationeoc_essential/cas:csupomonaEduPersonAffiliation
 
 cas:csupomonaEduPersonAffiliationemployee/cas:csupomonaEduPersonAffiliation
 
 cas:csupomonaEduPersonAffiliationmember/cas:csupomonaEduPersonAffiliation
 
 cas:csupomonaEduPersonAffiliationstaff/cas:csupomonaEduPersonAffiliation
 /cas:attributes
 /cas:authenticationSuccess
 /cas:serviceResponse

 And yay, ezproxy successfully parses this...


 --
 You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-14 Thread Julien Gribonvald 

Hi folks,

Just my 2 cents :

With my experience it's really easy to share user attributes over SAML 
than with the jsp, why ? until now each CAS deployer tried to use the 
jsp to share user attributes but every one made his jsp code and so 
there is a lot of schema attributes sharing over this method, whereas 
SAML there is only normalized way for attributes sharing. More it's 
compatible with shibboleth attributes release, so you don't have to 
delopp each times a CAS client when using the SAML (event if CAS client 
exists there is a lot of langages where there isn't CAS client).
Also the only thing missing with CAS 3.x version is the attributes 
release in proxy mode with SAML schema. After the SAML is a good 
practice to enforce the security in flows (but only when it's needed), 
and for that shibboleth use it with efficience. More the php and java 
CAS client are compatible with SAML attributes sharing ! I'm seeing the 
service validate (using jsp) as only a simple service to validate user 
access, and the SAML service validate as an evolved service needed to 
release user attributes in a normalized way. In my mind providing a 
normlized way for attribute sharing is realluy needed, I'm not sure that 
the jsp is a good way, there are several ways to share attributes more 
using libraries, even in json, but sharing a normalized way for 
attributes sharing with shibboleth can provide a good point to CAS ;)


My experience is based on communication with several external ressources 
editors, they have to set several CAS client to access to their 
services, and so they have to configure a different client and due to 
CAS using only jsp to release attributes they have a lot of problem to 
integrate new services due to lack of schema normalization, and more if 
they has to developp a specific client it's always a pain to integrate 
quickly the service, but when we say that they can use the SAML this is 
always welcome and really fastest to integrate services when attributes 
sharing are needed.


And sorry for my poor english this morning !

Regards,
Julien Gribonvald


Le 11/10/2013 22:30, William G. Thompson, Jr. a écrit :

On Fri, Oct 11, 2013 at 2:08 PM, Marvin S. Addison
marvin.addi...@gmail.com wrote:

Hmm, that's the impression I got after a meeting with Unicon, perhaps
I misunderstood them.


I believe Unicon steers folks away from SAML.

I understand you to mean /cas/samlValidate here rather than SAML,
but just to be clear, Unicon does not steer folks away from SAML.   In
fact, Unicon has a healthy and growing practice around SAML and
Shibboleth in particular.

Best,
Bill




--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Marvin S. Addison 

My understanding was that despite it being the official mechanism,
SAML is for the most part deprecated


Absolutely not. It may be deprecated at some (distant) future date, but
many folks are happily using the SAML support in many clients for
attribute release. No server or client customizations needed.


most people are extending the CAS 2.0 protocol to supply attributes
rather than using SAML


I don't think we have any numbers. I'd be happy to start a thread asking
for folks to speak up to get a sense, but from past experience it's hard
to gauge accurately with self reporting.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Paul B. Henson 
 From: Marvin S. Addison [mailto:marvin.addi...@gmail.com]
 Sent: Friday, October 11, 2013 6:35 AM

 Absolutely not. It may be deprecated at some (distant) future date, but
 many folks are happily using the SAML support in many clients for
 attribute release. No server or client customizations needed.

Hmm, that's the impression I got after a meeting with Unicon, perhaps I 
misunderstood them.

In any case, it looks like the client I'm trying to get to work (ezproxy) 
doesn't support SAML :(, so I'm stuck with unofficial CAS 2.0 attributes.

Did you by any chance have the opportunity to look at the other email I sent on 
this subject as far as whether or not the variable within the jsp file has 
already been flattened, or if there is the potential to tweak the jsp to 
iterate over it and generate separate entries for each value rather than 
flatten it?

Thanks much...

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Marvin S. Addison 

Hmm, that's the impression I got after a meeting with Unicon, perhaps
I misunderstood them.


I believe Unicon steers folks away from SAML. I believe it's motivated 
in some cases by the need to support proxying with attribute release, 
which SAML 1.1 does not support. If they used the word deprecated, 
then that would be incorrect. It's supported now and for the foreseeable 
future.



In any case, it looks like the client I'm trying to get to work
(ezproxy) doesn't support SAML :(, so I'm stuck with unofficial CAS
2.0 attributes.


Understood.


Did you by any chance have the opportunity to look at the other email
I sent on this subject as far as whether or not the variable within
the jsp file has already been flattened, or if there is the potential
to tweak the jsp to iterate over it and generate separate entries for
each value rather than flatten it?


You mean this:

cas:attributes
  cas:csupomonaEduPersonAffiliation[a, b, 
c]/cas:csupomonaEduPersonAffilication

/cas:attributes

I admit that doesn't look correct but I'm not certain. What reference 
did you follow for customizing the casServiceValidationSuccess.jsp file?


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread William G. Thompson, Jr. 
Hey Paul,

Since you brought up the Unicon meeting I figure I'll just respond
here in this thread.   Sorry if I gave you the wrong impression
regarding the official status of /cas/samlValidate.

The point I was making was that /cas/samlValidate was essentially
superseded by the 3.0 protocol spec rev (and the CAS 4.0 release) that
was catching up to broader community practice regarding releasing
attributes in /cas/serviceValidate.

/cas/samlValidate simply sends a SAML1 document back in response to a
ST validate request.  It never really achieved any general
interoperability with other SAML entities.  Therefore one can view
this particular feature as CAS specific implementation detail rather
than SAML support.

This thread might be of some help with OCLC.
https://groups.google.com/forum/#!topic/jasig-cas-user/QsW2eeA6WYw

Best,
Bill


On Fri, Oct 11, 2013 at 1:56 PM, Paul B. Henson hen...@csupomona.edu wrote:
 From: Marvin S. Addison [mailto:marvin.addi...@gmail.com]
 Sent: Friday, October 11, 2013 6:35 AM

 Absolutely not. It may be deprecated at some (distant) future date, but
 many folks are happily using the SAML support in many clients for
 attribute release. No server or client customizations needed.

 Hmm, that's the impression I got after a meeting with Unicon, perhaps I 
 misunderstood them.

 In any case, it looks like the client I'm trying to get to work (ezproxy) 
 doesn't support SAML :(, so I'm stuck with unofficial CAS 2.0 attributes.

 Did you by any chance have the opportunity to look at the other email I sent 
 on this subject as far as whether or not the variable within the jsp file has 
 already been flattened, or if there is the potential to tweak the jsp to 
 iterate over it and generate separate entries for each value rather than 
 flatten it?

 Thanks much...

 --
 You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Paul B. Henson 
 From: Marvin S. Addison [mailto:marvin.addi...@gmail.com]
 Sent: Friday, October 11, 2013 11:08 AM

 You mean this:
 
 cas:attributes
cas:csupomonaEduPersonAffiliation[a, b,
 c]/cas:csupomonaEduPersonAffilication
 /cas:attributes

No, I meant the post containing the underlying jsp code that generated it:

c:forEach var=attr items=${auth.principal.attributes} 

cas:${fn:escapeXml(attr.key)}${fn:escapeXml(attr.value)}/cas:${fn:escapeXml(attr.key)}
/c:forEach

This code does appear to generate one entry for each attribute, containing 
whatever attr.value is. My curiosity is whether the attr.value variable is a 
collection at this point in the jsp, and the escapeXml call is what is 
flattening it (in which case the jsp could potentially be modified to detect it 
is a collection and do an additional foreach to break them out separately) or 
if the variable attr.value is already flattened by the time the jsp sees it, in 
which case it would need to be fixed somewhere else.

 I admit that doesn't look correct but I'm not certain. What reference
 did you follow for customizing the casServiceValidationSuccess.jsp file?

I copied it from the wiki:

https://wiki.jasig.org/display/CASUM/Attributes

Thanks...

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Marvin Addison 
 The point I was making was that /cas/samlValidate was essentially
 superseded by the 3.0 protocol spec rev (and the CAS 4.0 release) that
 was catching up to broader community practice regarding releasing
 attributes in /cas/serviceValidate.

I would say we're planning to support _both_ the existing SAML 1.1
capability and the new CAS 3.0 protocol. I'm not aware of any plan to
supersede one for the other at present, though it's entirely possible
that may happen in the future. It's simply a fact that CAS 3.0 will be
able to do everything that the SAML 1.1 support offers and more.

On the topic of broader community practice, do you have any numbers?
I mentioned interest in adoption numbers in the thread previously, and
if you have some data it would be helpful to share.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Paul B. Henson 
 From: William G. Thompson, Jr. [mailto:wgt...@gmail.com]
 Sent: Friday, October 11, 2013 11:51 AM

 Since you brought up the Unicon meeting I figure I'll just respond
 here in this thread.   Sorry if I gave you the wrong impression
 regarding the official status of /cas/samlValidate.

Possibly I misunderstood you; the question was more or less whether most 
applications would do samlValidate and I didn't need to worry about the custom 
jsp extension, or if most applications only worked with CAS 2.0 attribute 
extensions, and the rough answer was more or less the latter. Which, at least 
in the case of ezproxy, seems to be true so far :).

 This thread might be of some help with OCLC.
 https://groups.google.com/forum/#!topic/jasig-cas-user/QsW2eeA6WYw

Yeah, that looks like basically what I'm doing. The ezproxy client sees the 
attributes being returned by the custom jsp with no problem, it's just that 
multi valued attributes are getting flattened out into a single value which is 
less than ideal. And that's definitely on the CAS side, not the ezproxy side, 
as can be seen in the returned XML.

Thanks...

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread William G. Thompson, Jr. 
On Fri, Oct 11, 2013 at 2:08 PM, Marvin S. Addison
marvin.addi...@gmail.com wrote:
 Hmm, that's the impression I got after a meeting with Unicon, perhaps
 I misunderstood them.


 I believe Unicon steers folks away from SAML.

I understand you to mean /cas/samlValidate here rather than SAML,
but just to be clear, Unicon does not steer folks away from SAML.   In
fact, Unicon has a healthy and growing practice around SAML and
Shibboleth in particular.

Best,
Bill

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Marvin Addison 
 I understand you to mean /cas/samlValidate here rather than SAML,

That's exactly what I meant. Only with respect to attribute release in CAS.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Marvin Addison 
 No, I meant the post containing the underlying jsp code that generated it:

 c:forEach var=attr items=${auth.principal.attributes} 
 
 cas:${fn:escapeXml(attr.key)}${fn:escapeXml(attr.value)}/cas:${fn:escapeXml(attr.key)}
 /c:forEach

Missed that. That JSP code absolutely will not work with the attribute
parsing code in phpCAS HEAD revision. Here's the source for the
parsing code [1]:

/**
 * This method will parse the DOM and pull out the attributes from the XML
 * payload and put them into an array, then put the array into the session.
 *
 * @param string $success_elements payload of the response
 *
 * @return bool true when successfull, halt otherwise by calling
 * CAS_Client::_authError().
 */
private function _readExtraAttributesCas20($success_elements)
{
phpCAS::traceBegin();

$extra_attributes = array();

// Jasig Style Attributes:
//
// cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
// cas:authenticationSuccess
// cas:userjsmith/cas:user
// cas:attributes
// cas:attraStyleRubyCAS/cas:attraStyle
// cas:surnameSmith/cas:surname
// cas:givenNameJohn/cas:givenName
// cas:memberOfCN=Staff,OU=Groups,DC=example,DC=edu/cas:memberOf
// cas:memberOfCN=Spanish
Department,OU=Departments,OU=Groups,DC=example,DC=edu/cas:memberOf
// /cas:attributes
// 
cas:proxyGrantingTicketPGTIOU-84678-8a9d2sfa23casd/cas:proxyGrantingTicket
// /cas:authenticationSuccess
// /cas:serviceResponse
//

I think the comment makes it pretty clear the expected XML format,
which matches my recollection. You'll need an inner loop to unroll
attribute values that contain collections.

M

[1] https://github.com/Jasig/phpCAS/blob/master/source/CAS/Client.php

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread William G. Thompson, Jr. 
You'll want to take a look at this:  https://issues.jasig.org/browse/CAS-1283

Best,
Bill


On Fri, Oct 11, 2013 at 8:16 PM, Paul B. Henson hen...@csupomona.edu wrote:
 From: Marvin Addison [mailto:marvin.addi...@gmail.com]
 Sent: Friday, October 11, 2013 1:40 PM

 Missed that. That JSP code absolutely will not work with the attribute
 parsing code in phpCAS HEAD revision. Here's the source for the

 That's an annoying inconsistency, given that piece of the wiki describing the 
 jsp modification is entitled Accessing attributes using phpCAS ;).

 I think the comment makes it pretty clear the expected XML format,
 which matches my recollection. You'll need an inner loop to unroll
 attribute values that contain collections.

 It sounds like the jsp has access to the un-flattened collection then, so I 
 guess if nobody on the list who writes jsp in their sleep steps up, I'll go 
 hack at it...

 Thanks...

 --
 You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread William G. Thompson, Jr. 
And this one: https://issues.jasig.org/browse/CAS-1284



On Fri, Oct 11, 2013 at 8:36 PM, William G. Thompson, Jr.
wgt...@gmail.com wrote:
 You'll want to take a look at this:  https://issues.jasig.org/browse/CAS-1283

 Best,
 Bill


 On Fri, Oct 11, 2013 at 8:16 PM, Paul B. Henson hen...@csupomona.edu wrote:
 From: Marvin Addison [mailto:marvin.addi...@gmail.com]
 Sent: Friday, October 11, 2013 1:40 PM

 Missed that. That JSP code absolutely will not work with the attribute
 parsing code in phpCAS HEAD revision. Here's the source for the

 That's an annoying inconsistency, given that piece of the wiki describing 
 the jsp modification is entitled Accessing attributes using phpCAS ;).

 I think the comment makes it pretty clear the expected XML format,
 which matches my recollection. You'll need an inner loop to unroll
 attribute values that contain collections.

 It sounds like the jsp has access to the un-flattened collection then, so I 
 guess if nobody on the list who writes jsp in their sleep steps up, I'll go 
 hack at it...

 Thanks...

 --
 You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-11 Thread Paul B. Henson 
 From: William G. Thompson, Jr. [mailto:wgt...@gmail.com]
 Sent: Friday, October 11, 2013 5:36 PM

 You'll want to take a look at this:  https://issues.jasig.org/browse/CAS-1283

That code looks suspiciously similar to the code on the wiki; I don't really 
see how that would not also flatten out multivalued attributes into a comma 
separated list as opposed to enumerating them separately?

I guess the jsp foreach is smart enough to do the right thing if you give it 
just a simple string rather than a collection, as:

c:forEach var=attr 
items=${auth.principal.attributes} 
c:forEach var=attrval 
items=${attr.value} 

cas:${fn:escapeXml(attr.key)}${fn:escapeXml(attrval)}/cas:${fn:escapeXml(attr.key)}
/c:forEach
/c:forEach

seems to do what I want:

cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
cas:authenticationSuccess
cas:userhenson/cas:user
cas:attributes
cas:snHenson/cas:sn
cas:givenNamePaul/cas:givenName

cas:csupomonaEduPersonAffiliationeoc_essential/cas:csupomonaEduPersonAffiliation

cas:csupomonaEduPersonAffiliationemployee/cas:csupomonaEduPersonAffiliation

cas:csupomonaEduPersonAffiliationmember/cas:csupomonaEduPersonAffiliation

cas:csupomonaEduPersonAffiliationstaff/cas:csupomonaEduPersonAffiliation
/cas:attributes
/cas:authenticationSuccess
/cas:serviceResponse

And yay, ezproxy successfully parses this...


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-10 Thread Marvin S. Addison 

What is the unofficial official way of handling attributes in the CAS 2.0 
protocol?


I honestly don't know. The official mechanism for attribute release is 
via the SAML 1.1 protocol. Attribute release will be officially 
supported in the CAS 3.0 protocol spec:


https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md

I can't speak to various client support for the 2.0 protocol extension 
since we don't use it. I understand many folks do use it, so they can 
speak to client support.


M

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-10 Thread Tom Poage 
On Oct 10, 2013, at 6:18 AM, Marvin S. Addison marvin.addi...@gmail.com wrote:
 What is the unofficial official way of handling attributes in the CAS 2.0 
 protocol?
 
 I honestly don't know. The official mechanism for attribute release is via 
 the SAML 1.1 protocol. Attribute release will be officially supported in the 
 CAS 3.0 protocol spec:
 
 https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md
 
 I can't speak to various client support for the 2.0 protocol extension since 
 we don't use it. I understand many folks do use it, so they can speak to 
 client support.


The attribute string [ foo, bar, baz ] looks suspiciously like the result of 
a toString() on a collection.

Both flavors of SAML represent attributes as roughly:

Attributes
  Attribute name=... type=...
Valuefoo/Value
Valuebar/Value
...
  /Attribute
  ...
/Attributes

Following SAML on-the-wire attributes (cf. registered OIDs) would avoid having 
to invent new ad-hoc representations, e.g. cas:title, cas:firstname, etc. 
though, admittedly, at the expense of readability (perhaps explaining why SAML 
2.0 introduced attribute 'friendly' names).

Tom.


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-10 Thread Paul B. Henson 
 From: Marvin S. Addison [mailto:marvin.addi...@gmail.com]
 Sent: Thursday, October 10, 2013 6:18 AM

 I honestly don't know. The official mechanism for attribute release is
 via the SAML 1.1 protocol. Attribute release will be officially
 supported in the CAS 3.0 protocol spec:

My understanding was that despite it being the official mechanism, SAML is 
for the most part deprecated, and most people are extending the CAS 2.0 
protocol to supply attributes rather than using SAML. I'd like to get the 
server to do what the average client is going to want :)...


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] multi valued attributes in CAS 2.0 protocol

2013-10-10 Thread Paul B. Henson 
 From: Tom Poage [mailto:tfpo...@ucdavis.edu]
 Sent: Thursday, October 10, 2013 8:30 AM

 The attribute string [ foo, bar, baz ] looks suspiciously like the result 
 of a
 toString() on a collection.

The jsp code on the wiki:

c:forEach var=attr items=${auth.principal.attributes} 

cas:${fn:escapeXml(attr.key)}${fn:escapeXml(attr.value)}/cas:${fn:escapeXml(attr.key)}
/c:forEach

does look like it pretty much spits out cas:namevalue/cas:name, I'm not 
that familiar with jsp, is it likely that attr.value is a collection, being 
converted to a string? In which case perhaps the jsp could be modified to 
detect that it is a collection and do another foreach to split it up and write 
out each value separately rather than concatenated? Or is it more likely that 
attr.value is already a flattened out string when it is referenced in the jsp?

 Both flavors of SAML represent attributes as roughly:

Well, in this case that only matters if the average CAS 2.0 attribute extended 
client likes them that way :). Looking at the php CAS client, it accepts a 
variety of different attribute encodings, none of which seem to match the 
example on the wiki as far as how to enable it on the server-side 8-/...

Thanks...

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user