David,

I really want to thank for helping me on this.
I've finally managed to retrieve a multiple value attribute, just like 
you've said the responsible to release attributes for CAS is the 
Authentication Handler. In my case Active Directory. So, what i've done was 
create a custom attribute "awsRoles" on Active Directory that supports 
multiple values. Then i configured CAS to release the attribute and used my 
json like this:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "urn:amazon:webservices",
  "name" : "AWS",
  "id" : 10000003,
  "description" : "SSO AWS",
  "signAssertions" : true,
  "signResponses" : true,
  "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "awsRoles" : "https://aws.amazon.com/SAML/Attributes/Role";,
      "extensionAttribute2" : 
"https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
      "extensionAttribute3": "SessionDuration"
    }
  },
  "evaluationOrder" : 1125
}

Here is my SAML Response after auth.

<saml2:Attribute FriendlyName="https://aws.amazon.com/SAML/Attributes/Role"; 
Name="https://aws.amazon.com/SAML/Attributes/Role"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
                
<saml2:AttributeValue>arn:aws:iam::account-id:role/role-name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
                
<saml2:AttributeValue>arn:aws:iam::account-id:role/role_name,arn:aws:iam::account-id:saml-provider/idp_name</saml2:AttributeValue>
            </saml2:Attribute>

I'm sorry to bother you on this but thanks for you for help showing me the 
way.

Have a nice weekend

Willian

Em sexta-feira, 16 de novembro de 2018 17:57:40 UTC-2, David Curry escreveu:
>
> Well, I also said we don't do that here, so I don't actually know how to 
> do it, just that I think you can. :-)
>
> But seriously, I believe it depends on what you're using for an attribute 
> repository. And I'm not sure whether it's going to give you what you want:
>
> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role 
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</AttributeValue
> > <AttributeValue>ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</
> AttributeValue> <AttributeValue>ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
> </AttributeValue> </Attribute>
>
> or if it's going to give you something more like
>
> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role 
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
> ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
> </AttributeValue>
> </Attribute>
>
> You might have to write a custom resolver or something (I'm not the one to 
> help you with that).
>
> Maybe someone else could weigh in here and give William some better 
> information?
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu <javascript:>
>
>
> On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales <etru...@gmail.com 
> <javascript:>> wrote:
>
>> David,
>>
>> What i want is to log in into multiple AWS Accounts using SAML2. I've 
>> managed to log into only one account. But to log in into multiple accounts 
>> you have to send the response like this:
>>
>> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role 
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</
>> AttributeValue> <AttributeValue>ACCOUNT2_
>> AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM</AttributeValue> <AttributeValue
>> >ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM</AttributeValue> </Attribute>
>>
>> Right now i'm sending only one value in the attributevalue like this 
>>
>> <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role 
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> <AttributeValue>ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM</
>> AttributeValue> </Attribute>
>>
>> I need to send multiple values so i can choose what account i want to log 
>> in. You said that there's a way to return a multi-value attribute,  can you 
>> show me how to return multi-value attribute?
>>
>> Thank You!
>>
>>
>>
>>
>> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry 
>> escreveu:
>>>
>>> The "ReturnMappedAttributeReleasePolicy" is not a method for returning 
>>> attribute values, it's a method for changing the name of an attribute when 
>>> you release it.
>>>
>>> For example, suppose you have an application that wants you to give it 
>>> an attribute called "LastName". But your Active Directory, of course, keeps 
>>> the last name in an attribute called "sn". So, in the service registry for 
>>> that service, you would specify something like this:
>>>
>>> ...
>>>  "attributeReleasePolicy" : {
>>>     "@class" : 
>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>     "allowedAttributes" : {
>>>       "@class" : "java.util.TreeMap",
>>>       "sn" : "LastName",
>>>
>>>       "givenName" : "givenName",
>>>
>>>       "cn" : "cn",
>>>     }
>>>   },
>>> ...  
>>>
>>>
>>> This says you're going to get the values of the cn, givenName, and sn 
>>> values from your attribute repository (Active Directory or whatever), and 
>>> send them over to the client. BUT, when you do that, you're going to call 
>>> them cn, givenName, and LastName instead. So for me, the client might get 
>>> something like:
>>>
>>> cn=curryd, givenName=David, LastName=Curry
>>>
>>>
>>> (in whatever format the protocol it's speaking with the CAS server 
>>> provides that information).
>>>
>>> So what you're specifying there, is that you're going to send four 
>>> attributes back to AWS: description, extenstionAttribute1, 
>>> extensionAttribute2, and extensionAttribute3. But when you send them back, 
>>> you're going to call them by those 3 URLs and "SessionDuration". So AWS is 
>>> going to get something like:
>>>
>>> https://aws.amazon.com/SAML/Attributes/Role=<some value>,
>>> https://aws.amazon.com/SAML/Attributes/Role= 
>>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D&sa=D&sntz=1&usg=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg><some
>>>  
>>> value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName=<some 
>>> value>,SessionDuration=<some value>
>>>
>>>
>>> (again, in whatever format the protocol CAS is speaking with AWS 
>>> specifies) which, I presume, is not what you want. :-)
>>>
>>> I believe there is a way to release the same attribute value with more 
>>> than one name, but I don't use it myself, so I don't know the details of 
>>> what version that functionality was added in, or how it's actually 
>>> configured.
>>>
>>> --Dave
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • david...@newschool.edu
>>>
>>>
>>> On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales <etru...@gmail.com> 
>>> wrote:
>>>
>>>> David,
>>>>
>>>> I'm using Json Service Registry.
>>>> You're telling me that the responsible for multi-value attributes is 
>>>> not the service registry but the repository 'im using? (In my case Active 
>>>> Directory).
>>>>
>>>> So, let me show you the example i'm using.
>>>>
>>>> I need to map a multi-value attribute for the attribute "
>>>> https://aws.amazon.com/SAML/Attributes/Role";
>>>>
>>>> Here an example of my JSON.
>>>>
>>>> {
>>>>   "@class" : 
>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>   "serviceId" : "urn:amazon:webservices",
>>>>   "name" : "AWS",
>>>>   "id" : 10000003,
>>>>   "description" : "CAS AWS",
>>>>   "signAssertions" : true,
>>>>   "signResponses" : true,
>>>>   "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
>>>>   "attributeReleasePolicy" : {
>>>>     "@class" : 
>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>>     "allowedAttributes" : {
>>>>       "@class" : "java.util.TreeMap",
>>>>       "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
>>>>       "extensionAttribute1" : "
>>>> https://aws.amazon.com/SAML/Attributes/Role";,
>>>>       "extensionAttribute2" : "
>>>> https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
>>>>       "extensionAttribute3" : "SessionDuration"
>>>>     }
>>>>   },
>>>>   "evaluationOrder" : 1125
>>>> }
>>>>
>>>>
>>>> What i need is to use the values of "description" and 
>>>> "extensionAttribute1" in the same attribute, in this case "
>>>> https://aws.amazon.com/SAML/Attributes/Role";
>>>>
>>>> I've try to use the attribute Repository but still returns only one 
>>>> value
>>>>
>>>> Here's my .prop file:
>>>>
>>>> cas.authn.ldap[0].type=AD
>>>> cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
>>>> cas.authn.ldap[0].useSsl=false
>>>> cas.authn.ldap[0].useStartTls=false
>>>> cas.authn.ldap[0].connectTimeout=5000
>>>> cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
>>>> cas.authn.ldap[0].subtreeSearch=true
>>>> cas.authn.ldap[0].searchFilter=sAMAccountName={user}
>>>> cas.authn.ldap[0].bindDn=will...@shoracius.com.br
>>>> cas.authn.ldap[0].bindCredential=Teste@123
>>>> cas.authn.ldap[0].dnFormat=%s...@shoracius.com.br
>>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>>>> cas.authn.ldap[0].principalAttributePassword=unicodePwd
>>>>
>>>> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
>>>> cas.authn.ldap[0].failFast=false
>>>> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
>>>> cas.authn.attributeRepository.ldap[0].bindDn=wil...@shoracius.com.br
>>>> cas.authn.attributeRepository.ldap[0].bindCredential=********
>>>> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
>>>>
>>>> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>>> cas.authn.attributeRepository.ldap[0].useSsl=false
>>>> cas.authn.attributeRepository.ldap[0].useStartTls=false
>>>> cas.authn.attributeRepository.ldap[0].name=AD
>>>> cas.authn.attributeRepository.expirationTime=30
>>>> cas.authn.attributeRepository.expirationTimeUnit=MINUTES
>>>> cas.authn.attributeRepository.maximumCacheSize=10000
>>>> cas.authn.attributeRepository.merger=MERGE
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
>>>> # 
>>>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>>>> # cas.authn.attributeRepository.ldap[0].attributes.cn=commonName 
>>>>
>>>> Can you help me on this quest.?
>>>>
>>>> I'm from Brazil, so i'm sorry for my English or anything.
>>>>
>>>> Thanks in advice and i've appreciate your help.
>>>>
>>>>
>>>> Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry 
>>>> escreveu:
>>>>>
>>>>> Since I'm the only "David" I see in this thread I assume you're asking 
>>>>> me... but I'm not sure I understand the question. Where are you putting 
>>>>> the 
>>>>> JSON that you're expecting CAS to consume it and then spit it out in a 
>>>>> SAML 
>>>>> response?
>>>>>
>>>>> Normally, CAS will get the attributes from whatever repositories you 
>>>>> configure it to use, and take care of putting them into the response 
>>>>> itself; you don't have to specify any JSON. As far as I know, 
>>>>> multi-valued 
>>>>> attributes should work just fine with that.
>>>>>
>>>>> The JSON I provided back earlier in this thread was in a service 
>>>>> registry definition to show how to rename attributes, not provide their 
>>>>> values.
>>>>>
>>>>> --Dave
>>>>>
>>>>> --
>>>>>
>>>>> DAVID A. CURRY, CISSP
>>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>>>>
>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>> +1 212 229-5300 x4728 • david...@newschool.edu
>>>>>
>>>>>
>>>>> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales <etru...@gmail.com> 
>>>>> wrote:
>>>>>
>>>>>> Hi David!
>>>>>>
>>>>>> i'm praying that you see my question now because i really need your 
>>>>>> help.
>>>>>> I want to thank you because you really helped me showing the .json 
>>>>>> configurattion.
>>>>>> But i need some help on this.
>>>>>>
>>>>>> How do i manage to do a multi value attribute on json.
>>>>>> I need the SAML response to be like this
>>>>>>
>>>>>> <Attribute Name="attribute"> <AttributeValue>1</AttributeValue> <
>>>>>> AttributeValue>2</AttributeValue> <AttributeValue>3</AttributeValue> 
>>>>>> </Attribute>
>>>>>>
>>>>>> Can you help me on this man?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry 
>>>>>> escreveu:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth 
>>>>>>> mod_shib/shibd plug-in:
>>>>>>>
>>>>>>> {
>>>>>>>   "@class" : 
>>>>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>>>>>>   "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
>>>>>>>   "name" : "Apache Secured By SAML",
>>>>>>>   "id" : 1509030300,
>>>>>>>   "description" : "CAS development Apache mod_shib/shibd server with 
>>>>>>> username/password protection",
>>>>>>>   "metadataLocation" : "
>>>>>>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
>>>>>>>   "attributeReleasePolicy" : {
>>>>>>>     "@class" : 
>>>>>>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>>>>>>>     "allowedAttributes" : {
>>>>>>>       "@class" : "java.util.TreeMap",
>>>>>>>       "cn" : "urn:oid:2.5.4.3",
>>>>>>>       "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>>>>>>       "givenName" : "urn:oid:2.5.4.42",
>>>>>>>       "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>>>>>>       "role" : "urn:newschool:attribute-def:role",
>>>>>>>       "sn" : "urn:oid:2.5.4.4",
>>>>>>>       "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>>>>>>       "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
>>>>>>>     }
>>>>>>>   },
>>>>>>>   "evaluationOrder" : 1125
>>>>>>> }
>>>>>>>
>>>>>>> But if your SP doesn't care about the funky notation, you can just 
>>>>>>> do it the "regular" way... here's a definition for a test SP created 
>>>>>>> via 
>>>>>>> RSA's free IAMShowcase site (this is a cut-down copy of the entire 
>>>>>>> registry 
>>>>>>> entry to show the part you're interested in):
>>>>>>>
>>>>>>> {
>>>>>>>     "serviceId": "IAMShowcase",
>>>>>>>     "name": "RSA SAML Test Service Provider",
>>>>>>>     "theme": null,
>>>>>>>     "informationUrl": null,
>>>>>>>     "privacyUrl": null,
>>>>>>>     "id": 1202469081,
>>>>>>>     "description": "The URL for the SP that talks to this service is 
>>>>>>> https://sptest.iamshowcase.com/ixs?idp=<snip>",
>>>>>>> <span s
>>>>>>>
>>>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7f3b7310-1142-406a-88e1-3623e6a15dc1%40apereo.org.

Reply via email to