Sven, This is a complete guess as I used a Groovy script for my access strategy.
Try adding eduPersonEntitlement and memberOf to the allowedAttributes in the attributeReleasePolicy. Good luck, Mike From: "Sven Specker" <[email protected]> To: "cas-user" <[email protected]> Sent: Wednesday, April 8, 2020 11:49:09 AM Subject: [cas-user] Screwing up...but where (CAS 6.1.5) Hi! After stumbling a few more times, I finally got a working setup apart from a little fly in the ointment. Well, it is more a whale. I have configured basic LDAP-Authentication and given the following directives in cas.properties after carefully consulting the docs. cas.personDirectory.principalAttribute=uid cas.personDirectory.returnNull=false cas.personDirectory.principalResolutionFailureFatal=false cas.personDirectory.useExistingPrincipalId=false cas.personDirectory.attributeResolutionEnabled=true as well as cas.authn.ldap[0].principalAttributeList=givenName,mail,sn,eduPersonPrimaryAffiliation,eduPersonEntitlement,eduPersonScopedAffiliation,employeeType,displayName,memberOf,mailPrimaryAddress,mail,eduPersonPrincipalName,uid And it works like a breeze until I add an AccessStrategy: this works: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://samltest.id/saml/sp"; "name" : "SAMLtest.id", "id" : 10000003, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "uid", "canonicalizationMode" : "LOWER" }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", ["uid","mailPrimaryAddress", "sn" , "givenName", "edupersonScopedAffiliation" ] ] }, "evaluationOrder" : 10, "metadataLocation" : "file:///etc/cas/saml/sp-metadata/samltest.xml" } This throws an exception telling me : org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server. { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://samltest.id/saml/sp"; "name" : "SAMLtest.id", "id" : 10000003, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true, "requireAllAttributes": false, "requiredAttributes" : { "@class" : "java.util.HashMap", "eduPersonEntitlement" : [ "java.util.HashSet", [ "urn:mace:uni-frankfurt.de:hrz:zoom:access" ] ], "memberOf" : [ "java.util.HashSet", [ "mywonderfulmemberof"] ] } }, "usernameAttributeProvider" : { "@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider", "usernameAttribute" : "uid", "canonicalizationMode" : "LOWER" }, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", ["uid","mailPrimaryAddress", "sn" , "givenName", "edupersonScopedAffiliation" ] ] }, "evaluationOrder" : 10, "metadataLocation" : "file:///etc/cas/saml/sp-metadata/samltest.xml" } Since I have not found much online when it comes to this, I am sure, I have misconfigured something. And not necessarily in those configs. Any ideas? Best regards, Sven Specker -- __________________________________________________________________ *** Sven Specker -- University of Frankfurt Computing Center *** *********** UNIX System Administration (Auth/IDM) **************** ***** [email protected] [Phone (+49)-69-798-15188] ***** ****************************************************************** __________________________________________________________________ Johann Wolfgang Goethe Universitaet - Hochschulrechenzentrum - Theodor W. Adorno-Platz 1 (PA-1P16) D-60323 Frankfurt/Main __________________________________________________________________ ______________ TeX-users do it in {groups}________________________ -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22d066df-2e9b-0ea7-fb14-fb95ef615ef3%40rz.uni-frankfurt.de. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1333848773.1097788.1586373552681.JavaMail.zimbra%40scad.edu.
