Hi, I'm working on integration with Azure AD too. I was able to connect wia OpenID. To map attribute You need to define default attribute. Example below:
cas.authn.attributeRepository.merger=REPLACE cas.authn.releaseProtocolAttributes=true cas.authn.attributeRepository.defaultAttributesToRelease=email,given_name,family_name,name After that Attribute mapping start working for me. Can You share configuration how integration with Saml Ip working for You ? With oAuth 2.0 and OpenID I had problem with Azure AD. Redirect_url parameter does not redirect with get parameters, and I had to override default Pac4j configuration. Thanks, Lukas pt., 5 paź 2018 o 23:15 Raghavan TV <[email protected]> napisał(a): > Hi All > > We were able to successfully integrate CAS 5.2.6 using delegated > authentication agianst Azure AD (SAML Idp) > > We are now looking to map the SAML (claims) attributes to more meaningful > names > > Azure SAML Response > > <samlp:Response > Destination=" > https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"; > ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" > InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616" > IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer> > <samlp:Status><samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> > <Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" > IssueInstant="2018-10-04T13:22:05.275Z" > Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> > <Issuer> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo><CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784"> > <Transforms><Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue> > </Reference> > </SignedInfo> > > <SignatureValue>HAKazQ1ApJ5w0NtxJs5E/qECDRz8C5xYjHtGDJtuuuULrM07HUjkoenQ4L34UhSO4qm6Jgo0roIP1bQAGDlq0DWmPu7P9nyPSaQbKiBMtDAO759rM/g0neTWWfYYuNfDFauA+CBuu1N2W15h/oYU85z2D//W8RJQDMB7JvkycPgKF9BY0RON+Rlo2qOFsZ8Z6TxNJgyDxPCQG5natKgVoAZ57lC4+giarBQJQgCFGjy5uckKx4tq2qDuSGnyxqpxqSSm0WNhRR4AqY+kMtNLvEv0aimLX5ezzeOTy7yGmnWNf+l8+FAai2US19Fu/G9xeMH9c3MjZ69MujIkFGqc3A==</SignatureValue> > <KeyInfo> > <X509Data> > > <X509Certificate>MIIDBTCCAe2gAwIBAgIQWOnQG5bZiIFAbuSzrxjvbDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDgwMTAwMDAwMFoXDTIwMDgwMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM5fWyNaHwYqnCfxVBEqhfDHKWnNhqmVHH9McYM+bsRs9xl7DkuwsbvD6vOb4rANtVOuly+Eiv/fYhhwn8UFE4kzTRXWREIH+uoFCUDyItwtT8vNn253XzXuFiIeHEkSoHM4vckdP+G7lPEQRZtQjV2TTB/76eBrtnLdP/AAgp4KE4/kjSuKEvn4lwiKtQWYPmCBPh18erwmIFwBramK5CzNKT31ycTYpi3LZpjbIljzW7gzvX9P6/U+dmTmpOufKzJbAnnXKveMcRUZl7wXWxQpyKGAZ0q+8FKIcVbrO0mlbyPuQGynAOofsnhqPQVeO4lbsEgcmL9QXWdxdn6kYsCAwEAAaMhMB8wHQYDVR0OBBYEFMXZ+lF0trQrd4uWs+lQ7h0mls63MA0GCSqGSIb3DQEBCwUAA4IBAQAA/TRp5Cx6WWA04dCvoJNTd80KSO8uGrM2V4VhTlIU1zf8cjMocmBXSA0v+P3onkBHHwnMJs6fWuwcBL4vhqZ4jonPcgl3tUIGgDwywM3V4mC1JLZJXlBZASsAuKmHm6qwge6RVs+Ub1fcpOIViMgW/1Wj1tZm/v/NGHQ+EEJV1UXtE5OnFnzD+9TrfOTI/l855ryKNS6I+XNbtcIJUL87OWkMRgNgjOhBnmldA27sWWkFWfvxB0J7FvOkyWaLlyNe/jqCL3jYXzz0XBNGMbatmeKS3fgIihVUJ32Vt7GXI4ed0HuvhhZ6d+fvMnBPWdfteu018YHKeXyk/c2aegcj</X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > <Subject> > <NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID> > <SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData > InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616" > NotOnOrAfter="2018-10-04T13:27:05.275Z" > Recipient=" > https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML > "/></SubjectConfirmation> > </Subject> > <Conditions NotBefore="2018-10-04T13:17:05.275Z" > NotOnOrAfter="2018-10-04T14:17:05.275Z"> > <AudienceRestriction> > > <Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience> > </AudienceRestriction> > </Conditions> > <AttributeStatement> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/tenantid";> > > <AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/objectidentifier";> > > <AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";> > <AttributeValue>[email protected] > </AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/displayname";> > <AttributeValue>Firstname Lastname</AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/identity/claims/identityprovider";> > <AttributeValue> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/ > </AttributeValue> > </Attribute> > <Attribute Name=" > http://schemas.microsoft.com/claims/authnmethodsreferences";> > <AttributeValue> > http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password > </AttributeValue> > <AttributeValue> > http://schemas.microsoft.com/claims/multipleauthn</AttributeValue> > </Attribute> > </AttributeStatement> > <AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z" > SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784"> > <AuthnContext> > > <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> > </AuthnContext> > </AuthnStatement> > </Assertion> > </samlp:Response> > > > CAS Client Response > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user> > <cas:attributes> > <cas:isFromNewLogin>true</cas:isFromNewLogin> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572> > > <cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate> > <cas:clientName>MY_SAML</cas:clientName> > > <cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname > Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65> > <cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore> > <cas:credentialType>ClientCredential</cas:credentialType> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > http://schemas.microsoft.com/claims/multipleauthn > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964> > > <cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65> > [email protected] > </cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65> > > <cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod> > > <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572> > https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/ > </cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572> > <cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter> > > <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> > > <cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex> > </cas:attributes> > </cas:authenticationSuccess> > </cas:serviceResponse> > > > > We tried to use the AttributeResolver on the cas server side configuration > but not working now. > > > > > Any pointers on what is wrong the way we are trying the attribute mapping ? > > Sample attribute resolution mapping that we are trying (groovy map, > attrname map) > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", > "allowedAttributes" : { > "@class" : "java.util.TreeMap", > "name" : "username", > "displayname" : "userdisplayname", > "someattrname" : "groovy { return attributes['name']}" > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572" > : "i > d", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65" > : "name", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964" > : "appId", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573" > : "passwor > dUrl", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65" > : "email", > > "687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572" > : "s > erviceUrl", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f7375726e616d65" > : "l > astName", > > "687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f676976656e6e616d65" > : "firstName" > } > } > > > Any pointers around attribute mapping will be really helpful > > Thanks > Raghav > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c44685d-7b4b-4a58-b6ee-ff675d975daa%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c44685d-7b4b-4a58-b6ee-ff675d975daa%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_h%3D4EyQ6N9V-LSBp7VfJZjWVkjSceOvbHSvq0YBddbKNw%40mail.gmail.com.
