On Thu, Feb 22, 2018 at 4:14 PM, Bryan K. Walton <bwal...@leepfrog.com> wrote:
> We have a mod_auth_cas installation where the CAS server on the other
> end is sending us XML attributes in their response.  I don't have any
> details on their CAS server version.  What I do know is that we are
> using the serviceValidate url for validation.  The CAS server, in
> question, does NOT have a samlValidate url option for us.
>
> When a user authenticates to our application, we get a validation
> response from their CAS server that looks like this:
>
> [Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
> mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
> <cas:serviceResponse
> xmlns:cas="http://www.yale.edu/tp/cas";><cas:authenticationSuccess><cas:user>jdoe</cas:user><cn><![CDATA[---
> - John Doe
> ]]></cn><campusstatus><![CDATA[---
> - Staff
> ]]></campusstatus><sn><![CDATA[---
> - Doe
> ]]></sn><departmentnumber><![CDATA[---
> - Student Affairs
> ]]></departmentnumber><givenname><![CDATA[---
> - John
> ]]></givenname></cas:authenticationSuccess></cas:serviceResponse>
>
> As long as we use require valid-user, everything is fine, and users gain
> access to the application.
>
> My question, can mod_auth_cas work with these XML attributes
> for authorization control, without having access to a samlValidate url
> option?  For example, we would like to instruct Apache to limit access
> to those users who have "Staff" in the the "<campusstatus>" element.

mod_auth_cas supports SAML attributes with /samlValidate and CASv2
attributes with /serviceValidate (note that you must use git master
for this support).

The payload above does not look like what I would expect, which is
outlined here:

https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html#255-attributes-cas-30

It will not be parsed correctly and you will not be able to use those
values for authorization without modifying mod_auth_cas.
/serviceValidate in mod_auth_cas expects <cas:attributes/>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA%2BKFUxDmmB160KEKN7SEB6-n6zVA4Jk8Ny%2BTkTbuAkCQ%40mail.gmail.com.

Reply via email to