Hi,
I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
depending on the issue of which binding is being used for the
<AuthnRequest>, as detailed in an earlier note to this list).
I am delegating authentication to a SAML2 IdP using pac4j.
After a successful authentication I see in cas.log
2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
<profile: #SAML2Profile# | id:
AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
8uqJp0pzRmivQ== |
attributes:
{urn:oid:0.9.2342.19200300.100.1.3=[[email protected]],
mail=[[email protected]],
urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott Koranda],
givenName=[Scott],
urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
uid=[scott.koranda],
urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[[email protected]],
notOnOrAfter=2018-03-22T14:49:45.460Z,
eduPersonPrincipalName=[[email protected]],
urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
permissions: [] | isRemembered: false | clientName: null | linkedId:
null |>
Those are the values for NameID (transient) and attributes that I
expect.
The next line in cas.log is
2018-03-22 14:44:46,402 INFO
[org.apereo.cas.authentication.AbstractAuthenticationManager] -
<Authenticated principal
[AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
with attributes [{}] via credentials
[[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
So it appears that the NameID value (transient) is being used as the
principal, but none of the attributes are making it from the pac4j layer
into the CAS layer.
Is that a correct assessment?
If so, how can I
a) change what value is used for the principal? I would like to use the
value from one of the asserted attributes.
b) push the attributes into the CAS layer to make them available for
assertion downstream to the CAS client?
I have reviewed the documentation for the Delegated/pac4j authentication at
https://apereo.github.io/cas/5.1.x/integration/Delegate-Authentication.html
and that for Attribute Resolution at
https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
but I am not able to find a configuration option that appears to tell
pac4j to push the attributes into the Authentication object.
Thank you for your consideration.
Scott K
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.local.
