So, this fixed my alternate username problem. I am now getting the actual employeeID attribute as the name ID in the SAML 2.0 Assertion.
Thanks for your help. David Abney From: [email protected] [mailto:[email protected]] On Behalf Of David Abney Sent: Tuesday, January 26, 2016 4:03 PM To: Misagh Moayyed <[email protected]>; [email protected] Subject: RE: [cas-user] Alternate Username with SAML 2.0 Misagh, I figured out the issue, it was because I changed it to be <entry key-ref="ldapAuthenticationHandler" value-ref="#{null}" />, but it needs to be <entry key-ref="ldapAuthenticationHandler" value ="#{null}" />. No “-ref”. Thanks, David Abney From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Misagh Moayyed Sent: Tuesday, January 26, 2016 3:58 PM To: [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Alternate Username with SAML 2.0 May I see the change you made? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David Abney Sent: Tuesday, January 26, 2016 1:51 PM To: Misagh Moayyed <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Alternate Username with SAML 2.0 Misagh, I tried value=”#{null}”, but CAS is now encountering an error message about creating a bean ‘#{null}’. I assume I need to change something else in my deployerConfigContext file. Below is the message I am getting in the CAS log: Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:637) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1077) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:981) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636) at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:934) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479) at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:75) at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:54) at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4973) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5467) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1073) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1857) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean '#{null}' while setting constructor argument with key [<ldapAuthenticationHandler>]; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:334) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedMap(BeanDefinitionValueResolver.java:384) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:165) at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:651) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1077) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:981) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) ... 33 more Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:575) at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1111) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:276) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328) ... 47 more From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Misagh Moayyed Sent: Tuesday, January 26, 2016 3:32 PM To: [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Alternate Username with SAML 2.0 No this isn’t. You see, you either use the attribute repository (and the associated resolver it’s linked to), or you use the authentication handler directly. Right now, you have declared them both. When you do this, your attribute repository/resolver takes precedence, which means you get static [stubbed] hardcoded attribute values, which means you just get employeeID verbatim. Null out your primaryPrincipalResolver with: value="#{null}" and try again. Let your handler retrieve attributes for you. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David Abney Sent: Tuesday, January 26, 2016 12:49 PM To: Misagh Moayyed <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Alternate Username with SAML 2.0 Misagh, It is used in the primaryPrincipalResolver, which is used by the authenticationManager. Is this setup correct to create the attribute repository? <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <bean id="primaryPrincipalResolver" class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> I have attached the deployerConfigContext.xml file to make it easier to look at, if that helps. Thanks, David Abney From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Misagh Moayyed Sent: Tuesday, January 26, 2016 2:22 PM To: [email protected]<mailto:[email protected]> Subject: RE: [cas-user] Alternate Username with SAML 2.0 Where is your attributeRepository used in the configuration? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David Abney Sent: Tuesday, January 26, 2016 6:36 AM To: [email protected]<mailto:[email protected]> Subject: [cas-user] Alternate Username with SAML 2.0 I have CAS 4.0.7 running and I’m testing using a different value from LDAP to authenticate with a service that uses the SAML 2.0 (Google Apps) support provided by CAS. I would like to use the employeeID attribute from Active Directory as the principal Id for this service only. I have tried this setup: Setup in deployerConifgContext.xml file: <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao" p:backingMap-ref="attrRepoBackingMap" /> <util:map id="attrRepoBackingMap"> <entry key="uid" value="uid" /> <entry key="mail" value="mail" /> <entry key="employeeID" value="employeeID" /> </util:map> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="5" /> <property name="name" value="---service name---" /> <property name="description" value="---service description---" /> <property name="serviceId" value="---server url---" /> <property name="evaluationOrder" value="5" /> <property name="usernameAttribute" value="employeeID" /> <property name="allowedAttributes"> <list> <value>employeeID</value> </list> </property> </bean> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" c:authenticator-ref="authenticator"> <property name="principalAttributeMap"> <map> <!-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. --> <entry key="displayName" value="displayName" /> <entry key="mail" value="mail" /> <entry key="employeeID" value="employeeID" /> </map> </property> </bean> Setup in the argumentExtractorsConfiguration.xml file: <bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor" p:privateKey-ref="privateKeyFactoryBean" p:publicKey-ref="publicKeyFactoryBean" p:alternateUsername="employeeID" /> However, in the SAML assertion that comes from CAS, the name id that is sent over is just the text “employeeID” instead of the actual employee ID attribute in Active Directory. Any thoughts on why it isn’t sending the employee ID value? If I remove the alternateUsername field from the googleAccountsArgumentExtractor, then CAS does send over the sAMAccountName like it normally should. Thanks, David Abney -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
