same question, have you got a solution? On Thursday, June 14, 2018 at 10:47:23 PM UTC+8, Pk Hafeez wrote: > > Have setup latest version 5.3.0 of apereo CAS. Wanting it to return > username as UID attribute in the saml response. Have made appropriate > changes to CAS.properties and serviceregistry.json file. But the CAS > somehow only returns default attributes (UsernamePasswordCredential, > samlAuthenticationStatementAuthMethod, isFromNewLogin, authenticationDate, > authenticationMethod, successfulAuthenticationHandlers, > longTermAuthenticationRequestTokenUsed). Note that this is just a POC > setup, so there is no provisioned or ldap or such. There is only one user > on the CAS system, and when he ([email protected] <javascript:>) > makes a saml request, the saml response after authentication should simply > send username (uone) back as part of the attribute (uid) in the response. > > *cas.properties* > > cs.server.name: https://sso.idp.cuhybrid.com:8443 > cas.server.prefix: https://sso.idp.cuhybrid.com:8443/cas > > cas.adminPagesSecurity.ip=127\.0\.0\.1 > > logging.config: file:/etc/cas/config/log4j2.xml > cas.serviceRegistry.config.location: classpath:/services > cas.serviceRegistry.initFromJson=true > cas.serviceRegistry.json.location=file:///etc/cas/services > > cas.authn.samlIdp.entityId=https://sso.idp.cuhybrid.com:443/cas/idp > cas.authn.samlIdp.scope=idp.cuhybrid.com > > cas.authn.file.separator=:: > cas.authn.file.filename=file:/etc/cas/config/password.txt > cas.authn.file.passwordEncoder.type=NONE > #release attributes > #cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json > #cas.authn.attributeRepository.attributes.uid=uid > #cas.authn.samlIdp.principalAttributeId=uid > #cas.authn.ldap[0].principalAttributeId=uid > cas.authn.samlIdp.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json > #cas.authn.samlIdp.attributeRepository.defaultAttributesToRelease=uid > cas.authn.samlIdp.attributeRepository.attributes.id=uid > cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json > #cas.authn.attributeRepository.defaultAttributesToRelease=uid > cas.authn.attributeRepository.samlIdp[0].id=uid > cas.authn.attributeRepository.samlIdp[0].attributes.id=uid > > > *password.txt* > > > *[email protected]::T1swo123=**attribute-repository.json* > > > > > > > > *{ "uone": { "firstName":["fname"], "lastName":["lname"] > }}**/etc/cas/services/service.json* > > > > > > > > > > > > > > *{ "@class" : > "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" > : "https://broker.wbx.com. <https://broker.wbx.com.>*", "name" : > "Broker", "id" : 20000001, "evaluationOrder" : 10, "metadataLocation" : > "https://sso.idp.cuhybrid.com:8443/idb-meta-test-org1.xml > <https://sso.idp.cuhybrid.com:8443/idb-meta-test-org1.xml>","attributeReleasePolicy" > > : { "@class" : > "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", > "allowedAttributes" : [ "java.util.ArrayList", [ "uid" ] ] }}**SAML > Response (Expected UID in the attribute list missing):* In the saml > response, i expect username (uone) to be present in the attribute list with > name as uid after the configuration made above. But somehow the attribute > list is all of defaults. > > <saml2p:Response > > Destination="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"; > ID="_7652370489182156752" > InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6" > IssueInstant="2018-06-14T10:49:11.334Z" Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_7652370489182156752"> > <ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>QVZFqX3IZhmlpVXtl6r4d8k9d8SC5jkX/Q+1a39gsS8=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>EaAo6LKZYJn8b2Nm7M1QhfUyCtMYR2wqFm4+HdABhJT/3TDVlrsrhgz8fCRHM+zAFDQrsAXLokzEyj0q+riKsy3aOWVPIFhaOpctJuCS6/MvLBW/a2ZKU9rKNgawrVNWNOu6pAm0IgBQYd5SJnNyCEZnOQWk+H2f9YuqjWOlFw4HicNVisp9bZnXQJPQ9HMKSntgazLtJktuWhjdYMwjEpMckV0Smr/2A2A4tnmyXhBSu7DOm2k8OnqAdFyYydsDDyY0GyzV1PD/NXdXE65ZjbSner4NESV10GzKEUp+PoAFhd3zY9jGBc435BzD01L43anDZbEJ/pdTsogqVjSuQQ==</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIWOjCCAiKgAwIBAgIVAIWJG4KZJNKnPfAtwXfzO5ZasZXKMA0GCSqGSIb3DQEBCwUAMCExHzAd > > BgNVBAMMFnNzby5pZHAuY2FyZWh5YnJpZC5jb20wHhcNMTgwNjEyMDUxODI0WhcNMzgwNjEyMDUx > > ODI0WjAhMR8wHQYDVQQDDBZzc28uaWRwLmNhcmVoeWJyaWQuY29tMIIBIjANBgkqhkiG9w0BAQEF > > AAOCAQ8AMIIBCgKCAQEAkubHPbfub/uSD2ZCt9gxw7nUHNPKLotVlORJ48XEjXAY5ygaet4p+94S > > gX8qafDETqay3ynVX/kZiVutg85xsR9nhTd/PSL9/CMR02U9qVpQP+EnMsttmc4u+GR/lvyPIi4C > > bYS9piV89axFF3oYNy8B4phNmymCONEvT3XpuWIpA2LPRAYo/8rcPgpOABSRPex/Z1+OIcbw+Lwb > > 0cAuOxkSlc/X8X8Da3CiHemFxrswFkXCLEZOdd/a2CesuyJguFoFbcGW3ko4tSVgGWflt8vsn7wE > > nMk4Un10dupDDWEzWx+bw0ELilyuqEDMOURQInWWI4PuuCdTqUld1pCzqwIDAQABo2kwZzAdBgNV > > HQ4EFgQUiOTpeFxxMd+/pOaEhYmt59xmiQEwRgYDVR0RBD8wPYIWc3NvLmlkcC5jYXJlaHlicmlk > > LmNvbYYjc3NvLmlkcC5jYXJlaHlicmlkLmNvbS9pZHAvbWV0YWRhdGEwDQYJKoZIhvcNAQELBQAD > > ggEBAB2DYvASBcmG69GwPEX1HM4RsHsjcc+dMe3M3CcKcfyIDxy3dkA1M3JhqUP1sgXqJli0gFHp > > NCF7fbikP4f0+O3z7L8cASZFu+gdL5Gre2umhRzPCL0v2q+dIbDEZ3h/Y841Tu8xO8xFCUTUO7Bi > > nbg8KrKbWJX4FTrlPG/I0DncNF0wiKzYaJTevRmbRk1HUV+kCD8oN3RgpfDofVb8QQfpueVDaXuZ > > oTRi7376ebOJk3UugAsgp255jTRojVrsuU6+w9YajAObArniSm2z5t3D8+47CTP0QSYd8SS+nCy6 > > uBBJhh4EfylDw4pobsZSHA23ZqwuySy49ZV37adNOLY=</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status> > <saml2:Assertion ID="_9139863724074917757" > IssueInstant="2018-06-14T10:49:11.326Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > <saml2:Issuer>https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > > NameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4"; > > SPNameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4";>nm8GLI16mgBl2pJWfWI+zbKBpTg=</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData > InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6" > NotOnOrAfter="2018-06-14T10:49:16.029Z" > > Recipient="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"/></saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2018-06-14T10:49:11.333Z" > NotOnOrAfter="2018-06-14T10:49:16.333Z"> > <saml2:AudienceRestriction> > > <saml2:Audience>https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2018-06-14T10:49:11.029Z" > SessionIndex="_8331287344390871950"><saml2:SubjectLocality > Address="64.68.99.6"/> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute FriendlyName="credentialType" > Name="credentialType" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml2:AttributeValue>UsernamePasswordCredential</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > FriendlyName="samlAuthenticationStatementAuthMethod" > Name="samlAuthenticationStatementAuthMethod" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml2:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="isFromNewLogin" > Name="isFromNewLogin" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue>true</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationDate" > Name="authenticationDate" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml2:AttributeValue>2018-06-14T10:49:10.650Z[Etc/UTC]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="authenticationMethod" > Name="authenticationMethod" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="successfulAuthenticationHandlers" > Name="successfulAuthenticationHandlers" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute > FriendlyName="longTermAuthenticationRequestTokenUsed" > Name="longTermAuthenticationRequestTokenUsed" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue>false</saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > > > > *Expected SAML response attribute* The expected way of attribute is below > with username (uone) as value. > > <saml:Attribute Name="uid" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > <saml:AttributeValue > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="xs:string">uone</saml:AttributeValue> > </saml:Attribute> > > > >
-- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
