https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#ldap-authentication see lines 16-20
From: Dmitriy Kopylenko <[email protected]> Reply: Dmitriy Kopylenko <[email protected]> Date: February 13, 2017 at 12:17:38 PM To: [email protected] <[email protected]> Subject: Re: [cas-user] Setting up CAS 5.0.2 Server and Banner XE 404 cas/samlValidate? Are you “resolving” the attributes? https://apereo.github.io/cas/5.0.x/integration/Attribute-Resolution.html There are 2 pieces to attributes in CAS: 1) resolution, 2) release. First you need to resolve them from the target authentication store (or some other attribute repository), then release them to services. Cheers, D. From: Rob <[email protected]> Reply: [email protected] <[email protected]> Date: February 13, 2017 at 11:40:25 AM To: [email protected] <[email protected]> Subject: [cas-user] Setting up CAS 5.0.2 Server and Banner XE 404 cas/samlValidate? Hello All, My question is, is there another place, to set up additional attributes, other than the JSON service definition, attribute release policy, when using SAML 1.1 response? I am setting up a CAS 5.0.2 server, I have successfully got it hooked up to our LDAP server and authenticating. I have successfully gotten working with our grails 2.5.5 apps. I then configured the service policy to return attributes, specifically: "attributeReleasePolicy" : { "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes": { "@class": "java.util.TreeMap", "xxxPersonUDCID": "UDC_IDENTIFIER", "uid": "uid", "mail": "mail", "eduPersonPrincipalName": "eduPersonPrincipalName", "eduPersonAffiliation": "eduPersonAffiliation", "employeeID": "employeeID", "sn": "sn", "givenName": "givenName", "xxxPersonIdmRoles": "xxxPersonIdmRoles" } I can see in the logs these attributes are being returned. When I try to auth via banner XE app, it makes a request to /samlValidate which returns the following error: Error Message: https://casdevinternal.xxx.edu/cas/samlValidate?TARGET=https%3A%2F%2Fxessdev1.xx.edu%3A8446%2FPRDCStudentFacultyGradeEntry%2Fj_spring_cas_security_check So I add the dependency for SAML to my pom: <dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-saml</artifactId> <version>5.0.2</version> </dependency> That solves the 404 and now I see in the logs CAS is returning a SAML 1.1 response, but not my additional attributes: <?xml version="1.0" encoding="UTF-8"?> <saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="xxx.xxx.edu" IssueInstant="2017-02-10T22:12:53.558Z" MajorVersion="1" MinorVersion="1" ResponseID="_baa0795a4ed62b994dd3839427602a20"> <saml1p:Status> <saml1p:StatusCode Value="saml1p:Success"/> </saml1p:Status> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_fb1332132e4c49e4cced0e8458f224d7" IssueInstant="2017-02-10T22:12:53.558Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"> <saml1:Conditions NotBefore="2017-02-10T22:12:53.558Z" NotOnOrAfter="2017-02-10T22:13:23.558Z"> <saml1:AudienceRestrictionCondition> <saml1:Audience>https://xxx.xxx.edu:8444/PPRDStudentRegistration/j_spring_cas_security_check</saml1:Audience> </saml1:AudienceRestrictionCondition> </saml1:Conditions> <saml1:AuthenticationStatement AuthenticationInstant="2017-02-10T22:12:53.380Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml1:Subject> <saml1:NameIdentifier>edelmand</saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod> </saml1:SubjectConfirmation> </saml1:Subject> </saml1:AuthenticationStatement> <saml1:AttributeStatement> <saml1:Subject> <saml1:NameIdentifier>joesmith</saml1:NameIdentifier> <saml1:SubjectConfirmation> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod> </saml1:SubjectConfirmation> </saml1:Subject> <saml1:Attribute AttributeName="samlAuthenticationStatementAuthMethod" AttributeNamespace="http://www.ja-sig.org/products/cas/";> <saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="authenticationMethod" AttributeNamespace="http://www.ja-sig.org/products/cas/";> <saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">LdapAuthenticationHandler</saml1:AttributeValue> </saml1:Attribute> <saml1:Attribute AttributeName="successfulAuthenticationHandlers" AttributeNamespace="http://www.ja-sig.org/products/cas/";> <saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xsd:string">LdapAuthenticationHandler</saml1:AttributeValue> </saml1:Attribute> </saml1:AttributeStatement> </saml1:Assertion> </saml1p:Response>> What configuration am I missing to return additional attributes now that I have added the SAML dependency? Thanks for your consideration, Rob Mars. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACjUCoqGMyD_vVaocxvbkes36eLr_3bEfET1u_evNRVZWgp6TA%40mail.gmail.com. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58a1ea3b.5e08082.e90%40unicon.net.
