[cas-user] CAS 5.2.6 + Delegated Authentication + Microsoft Azure AD + How to map attributes

[Raghavan TV]

Hi All

We were able to successfully integrate CAS 5.2.6 using delegated 
authentication agianst Azure AD (SAML Idp)

We are now looking to map the SAML (claims) attributes to more meaningful 
names 

Azure SAML Response

<samlp:Response
    
Destination="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML";
    ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
    IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
    <samlp:Status><samlp:StatusCode 
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" 
IssueInstant="2018-10-04T13:22:05.275Z"
        Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        
<Issuer>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
            <SignedInfo><CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784">
                    <Transforms><Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    
<DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue>
                </Reference>
            </SignedInfo>
            
<SignatureValue>HAKazQ1ApJ5w0NtxJs5E/qECDRz8C5xYjHtGDJtuuuULrM07HUjkoenQ4L34UhSO4qm6Jgo0roIP1bQAGDlq0DWmPu7P9nyPSaQbKiBMtDAO759rM/g0neTWWfYYuNfDFauA+CBuu1N2W15h/oYU85z2D//W8RJQDMB7JvkycPgKF9BY0RON+Rlo2qOFsZ8Z6TxNJgyDxPCQG5natKgVoAZ57lC4+giarBQJQgCFGjy5uckKx4tq2qDuSGnyxqpxqSSm0WNhRR4AqY+kMtNLvEv0aimLX5ezzeOTy7yGmnWNf+l8+FAai2US19Fu/G9xeMH9c3MjZ69MujIkFGqc3A==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    
<X509Certificate>MIIDBTCCAe2gAwIBAgIQWOnQG5bZiIFAbuSzrxjvbDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDgwMTAwMDAwMFoXDTIwMDgwMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM5fWyNaHwYqnCfxVBEqhfDHKWnNhqmVHH9McYM+bsRs9xl7DkuwsbvD6vOb4rANtVOuly+Eiv/fYhhwn8UFE4kzTRXWREIH+uoFCUDyItwtT8vNn253XzXuFiIeHEkSoHM4vckdP+G7lPEQRZtQjV2TTB/76eBrtnLdP/AAgp4KE4/kjSuKEvn4lwiKtQWYPmCBPh18erwmIFwBramK5CzNKT31ycTYpi3LZpjbIljzW7gzvX9P6/U+dmTmpOufKzJbAnnXKveMcRUZl7wXWxQpyKGAZ0q+8FKIcVbrO0mlbyPuQGynAOofsnhqPQVeO4lbsEgcmL9QXWdxdn6kYsCAwEAAaMhMB8wHQYDVR0OBBYEFMXZ+lF0trQrd4uWs+lQ7h0mls63MA0GCSqGSIb3DQEBCwUAA4IBAQAA/TRp5Cx6WWA04dCvoJNTd80KSO8uGrM2V4VhTlIU1zf8cjMocmBXSA0v+P3onkBHHwnMJs6fWuwcBL4vhqZ4jonPcgl3tUIGgDwywM3V4mC1JLZJXlBZASsAuKmHm6qwge6RVs+Ub1fcpOIViMgW/1Wj1tZm/v/NGHQ+EEJV1UXtE5OnFnzD+9TrfOTI/l855ryKNS6I+XNbtcIJUL87OWkMRgNgjOhBnmldA27sWWkFWfvxB0J7FvOkyWaLlyNe/jqCL3jYXzz0XBNGMbatmeKS3fgIihVUJ32Vt7GXI4ed0HuvhhZ6d+fvMnBPWdfteu018YHKeXyk/c2aegcj</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID>
            <SubjectConfirmation 
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
                NotOnOrAfter="2018-10-04T13:27:05.275Z"
                
Recipient="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/></SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2018-10-04T13:17:05.275Z" 
NotOnOrAfter="2018-10-04T14:17:05.275Z">
            <AudienceRestriction>
                
<Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/tenantid";>
                
<AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/objectidentifier";>
                
<AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";>
                <AttributeValue>xx...@aaaa.onmicrosoft.com</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/displayname";>
                <AttributeValue>Firstname Lastname</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/identity/claims/identityprovider";>
                
<AttributeValue>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</AttributeValue>
            </Attribute>
            <Attribute 
Name="http://schemas.microsoft.com/claims/authnmethodsreferences";>
                
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
                
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z"
            SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784">
            <AuthnContext>
                
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>


CAS Client Response

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user>
        <cas:attributes>
            <cas:isFromNewLogin>true</cas:isFromNewLogin>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>
            
<cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate>
            <cas:clientName>MY_SAML</cas:clientName>
            
<cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname
 
Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>
            <cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore>
            <cas:credentialType>ClientCredential</cas:credentialType>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/claims/multipleauthn</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>
            
<cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>myuse...@mydomain.onmicrosoft.com</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>
            
<cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
            
<cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>
            <cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter>
            
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
            
<cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex>
            </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>



We tried to use the AttributeResolver on the cas server side configuration 
but not working now.




Any pointers on what is wrong the way we are trying the attribute mapping ?

Sample attribute resolution mapping that we are trying (groovy map, 
attrname map)
"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "name" : "username",
      "displayname" : "userdisplayname",
      "someattrname" : "groovy { return attributes['name']}"
      
"687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572"
 
: "i
d",
      
"687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65"
 
: "name",
      
"687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964"
 
: "appId",
      
"687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573"
 
: "passwor
dUrl",
      
"687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65"
 
: "email",
      
"687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572"
 
: "s
erviceUrl",
      
"687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f7375726e616d65"
 
: "l
astName",
      
"687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f676976656e6e616d65"
: "firstName"
    }
   }


Any pointers around attribute mapping will be really helpful

Thanks
Raghav

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c44685d-7b4b-4a58-b6ee-ff675d975daa%40apereo.org.