Short answer: cas.authn.attributeRepository.ldap[0].attributes.employeeNumber: UDC_IDENTIFIER
The last element of the property name is the name of the attribute in the directory, the value of the property is the name you want to give it when it's released to applications. The above assumes you've set up attribute resolution properties already. If you haven't, see the CAS documentation: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#authentication-attributes Note that the above method does the renaming at attribute resolution time, not attribute release time -- in other words, every application that you release this attribute to will get an attribute called "UDC_IDENTIFIER", because that's what it's called by the time you get to the attribute release rules. If you would rather have only certain applications see it as UDC_IDENTIFIER (say, the Ellucian apps) and have the others continue to see it as "employeeNumber", then you should do the renaming at attribute release time in the service definition, like this: https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html#return-mapped Personally, although I had been going down the road of doing the renaming at attribute resolution time, I have recently been rethinking this and am now leaning towards doing it at attribute release time. When we first installed CAS 3.5, one of the first applications that we CAS-ified forced us into some really stupid attribute names (including one that breaks the rules by including a space in the name) that nothing from any other vendor expects. With CAS 5's more flexible attribute release capabilities, I'm thinking it's time to clean this up and use standard (or more standard, anyway) names for everything that supports them, and limit the weird names to the one or two applications that want them. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Tue, Sep 26, 2017 at 8:46 AM, charlie derr <[email protected]> wrote: > Greetings, > We are new to CAS, but have managed to successfully get 5.1 working > with our LDAP directory on the back end. Apologies if this is a FAQ, but > I've looked around the web for the answer and only found instructions on > how to do this with 4.x (and earlier) CAS installs. > We have a need to expose the LDAP attribute employeeNumber (it's > present directly on each user's entry) as UDC_IDENTIFIER to the > application using CAS (Self-Service Banner). Any pointers or links to > documentation on how to correctly and securely accomplish this will very > much be appreciated. > > thanks ever so much, > ~c > > -- > Charlie Derr > Director of Instructional Technology > Bard College at Simon's Rock > 413-528-7344 > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/73f5132e-8feb-31d6-b376- > 29d57c23635f%40simons-rock.edu. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOvHOXQxQsnC1Fd%3Df1E3RkW2_V8N4b-v2S%2B%3DGzUfVdCWQ%40mail.gmail.com.
