Hi Jérôme,
The issue goes away with CAS version 5.2.3 and pac4j version 2.3.1.
Thanks,
Scott K
> Hi Jérôme,
>
> I am using the JSON service registry. The service is registered as
>
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "https://my.org/testing/cas/phpclient/example_simple.php";,
> "name" : "testClient01",
> "id" : 1,
> "evaluationOrder" : 10,
> "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
> },
> "usernameAttributeProvider" : {
> "@class" :
> "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
> "usernameAttribute" : "urn:oid:0.9.2342.19200300.100.1.1",
> "canonicalizationMode" : "NONE"
> }
> }
>
> So I believe the correct attribute release policy is in place to release all
> attributes to the service.
>
> The CAS log file contains this WARN message:
>
> 2018-03-24 10:02:59,411 WARN
> [org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider]
> - <Principal
> [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==]
> does not have an attribute [urn:oid:0.9.2342.19200300.100.1.1] among
> attributes [{}] so CAS cannot provide the user attribute the service expects.
> CAS will instead return the default principal id
> [AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzGtnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aMRXjnFqsso5giA==].
> Ensure the attribute selected as the username is allowed to be released by
> the service attribute release policy.>
>
> So CAS thinks there is no attribute "urn:oid:0.9.2342.19200300.100.1.1" but
> earlier in the log file pac4j logs
>
> 2018-03-24 10:02:58,906 DEBUG [org.pac4j.saml.client.SAML2Client] - <profile:
> #S
> AML2Profile# | id:
> AAdzZWNyZXQxoaZsp8jwcLkuGIb3wouQ4fg7MWmqgx+bnkd/EuWdmYlccwnzG
> tnBELaGS7ZMhiYxjvbzbXmlFcmhlQyJe9RyOsSx27yE14APpGvAWDpuR9bkuah8SfexOMbogtnYyK3aM
> RXjnFqsso5giA== | attributes:
> {urn:oid:0.9.2342.19200300.100.1.3=[skoranda@gmail
> .com], mail=[[email protected]],
> urn:oid:0.9.2342.19200300.100.1.1=[scott.koran
> da], displayName=[Scott Koranda], givenName=[Scott],
> urn:oid:2.5.4.42=[Scott], n
> otBefore=2018-03-24T10:02:57.588Z, uid=[scott.koranda],
> urn:oid:2.16.840.1.11373
> 0.3.1.241=[Scott Koranda],
> urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[scott.koranda@spher
> icalcowgroup.com], notOnOrAfter=2018-03-24T10:07:57.588Z,
> eduPersonPrincipalName
> =[[email protected]], urn:oid:2.5.4.4=[Koranda],
> sn=[Koranda],
> sessionindex=_0572dab54bff96c199e29f058aae9302} | roles: [] | permissions:
> [] |
> isRemembered: false | clientName: null | linkedId: null |>
>
> where the attribute urn:oid:0.9.2342.19200300.100.1.1 is explicitly shown to
> be populated.
>
> Am I missing something in my JSON service configuration?
>
> Again this is for version 5.1.3.
>
> Thanks,
>
> Scott K
>
> > Hi,
> >
> > The behavior is to create the CAS principal and attributes from the pac4j
> > principal and attributes. So you should get the pac4j attributes at the end.
> > Ignore the log about the ClientCredential, the toString method just outputs
> > the id (not the attributes).
> >
> > Is the service configured properly (with ReturnAllAttributeReleasePolicy
> > for example)?
> >
> > Thanks.
> > Best regards,
> > Jérôme
> >
> >
> > On Thu, Mar 22, 2018 at 4:25 PM, Scott Koranda <[email protected]> wrote:
> >
> > > Hi,
> > >
> > > I am using CAS 5.1.3 (though I might be able to upgrade to 5.2.3,
> > > depending on the issue of which binding is being used for the
> > > <AuthnRequest>, as detailed in an earlier note to this list).
> > >
> > > I am delegating authentication to a SAML2 IdP using pac4j.
> > >
> > > After a successful authentication I see in cas.log
> > >
> > > 2018-03-22 14:44:46,372 DEBUG [org.pac4j.saml.client.SAML2Client] -
> > > <profile: #SAML2Profile# | id: AAdzZWNyZXQxQJ7RzalR0+
> > > OnEE09XX3FnuYElvWkhkCSbAshdwAYSR5WQq3x7qEeuj6lzDF18EwarKKWUh
> > > ElP5/dR+k1h1NlMaLBZmgeA/5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E
> > > 8uqJp0pzRmivQ== |
> > > attributes:
> > > {urn:oid:0.9.2342.19200300.100.1.3=[[email protected]], mail=[
> > > [email protected]],
> > > urn:oid:0.9.2342.19200300.100.1.1=[scott.koranda], displayName=[Scott
> > > Koranda], givenName=[Scott],
> > > urn:oid:2.5.4.42=[Scott], notBefore=2018-03-22T14:44:45.460Z,
> > > uid=[scott.koranda],
> > > urn:oid:2.16.840.1.113730.3.1.241=[Scott Koranda],
> > > urn:oid:1.3.6.1.4.1.5923.1.1.1.6=[[email protected]],
> > > notOnOrAfter=2018-03-22T14:49:45.460Z,
> > > eduPersonPrincipalName=[[email protected]],
> > > urn:oid:2.5.4.4=[Koranda], sn=[Koranda],
> > > sessionindex=_570a4d9a94551c4e52cf75415fac58f0} | roles: [] |
> > > permissions: [] | isRemembered: false | clientName: null | linkedId:
> > > null |>
> > >
> > > Those are the values for NameID (transient) and attributes that I
> > > expect.
> > >
> > > The next line in cas.log is
> > >
> > > 2018-03-22 14:44:46,402 INFO
> > > [org.apereo.cas.authentication.AbstractAuthenticationManager] -
> > > <Authenticated principal
> > > [AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]
> > > with attributes [{}] via credentials
> > > [[org.apereo.cas.authentication.principal.ClientCredential@6c1c5d52[id=
> > > AAdzZWNyZXQxQJ7RzalR0+OnEE09XX3FnuYElvWkhkCSbAshdwAY
> > > SR5WQq3x7qEeuj6lzDF18EwarKKWUhElP5/dR+k1h1NlMaLBZmgeA/
> > > 5fGFSHZwZEABRLliyrpjaNW7HK+sqDWq73E8uqJp0pzRmivQ==]]].>
> > >
> > > So it appears that the NameID value (transient) is being used as the
> > > principal, but none of the attributes are making it from the pac4j layer
> > > into the CAS layer.
> > >
> > > Is that a correct assessment?
> > >
> > > If so, how can I
> > >
> > > a) change what value is used for the principal? I would like to use the
> > > value from one of the asserted attributes.
> > >
> > > b) push the attributes into the CAS layer to make them available for
> > > assertion downstream to the CAS client?
> > >
> > > I have reviewed the documentation for the Delegated/pac4j authentication
> > > at
> > >
> > > https://apereo.github.io/cas/5.1.x/integration/Delegate-
> > > Authentication.html
> > >
> > > and that for Attribute Resolution at
> > >
> > > https://apereo.github.io/cas/5.1.x/integration/Attribute-Resolution.html
> > >
> > > but I am not able to find a configuration option that appears to tell
> > > pac4j to push the attributes into the Authentication object.
> > >
> > > Thank you for your consideration.
> > >
> > > Scott K
> > >
> > >
> > > --
> > > - Website: https://apereo.github.io/cas
> > > - Gitter Chatroom: https://gitter.im/apereo/cas
> > > - List Guidelines: https://goo.gl/1VRrw7
> > > - Contributions: https://goo.gl/mh7qDG
> > > ---
> > > You received this message because you are subscribed to the Google Groups
> > > "CAS Community" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an
> > > email to [email protected].
> > > To view this discussion on the web visit https://groups.google.com/a/
> > > apereo.org/d/msgid/cas-user/20180322152546.o52kuzuh6u227e5s%40paprika.
> > > local.
> > >
> >
> > --
> > - Website: https://apereo.github.io/cas
> > - Gitter Chatroom: https://gitter.im/apereo/cas
> > - List Guidelines: https://goo.gl/1VRrw7
> > - Contributions: https://goo.gl/mh7qDG
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To view this discussion on the web visit
> > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lxnu8HSxPMQzxLvCW0Ee0-RmBVEGq%2BC67PRqajwz0Q5Tg%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180325203442.ds2imnwlzm7t2sfv%40paprika.local.
