I added those log settings...
We also tried changing our gradle.properties from SNAPSHOT to RC5 and that
just broke the Duo login flow...
I added this to cas.properties: #Attribute Release
cas.authn.authenticationAttributeRelease.enabled=true
And I also change the JSON service registry to:"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
Still no luck....
On Mon, Jun 1, 2020 at 10:06 AM Ray Bon <r...@uvic.ca> wrote:
> Bryan,
>
> Maybe these loggers can help.
> <AsyncLogger name="org.apereo.cas.services" level="warn" />
> <!-- DEBUG Found principal attributes [...] for [username]
> Attribute policy [???] allows release of [...] for
> [username]
> Final collection of attributes allowed are: [...] -->
> <AsyncLogger
> name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
> level="warn"/>
>
> <!-- DEBUG CAS will not authorize the release of ... given the service is
> denied access to all attributes -->
> <AsyncLogger
> name="org.apereo.cas.services.DenyAllAttributeReleasePolicy" level="warn"/>
>
> Ray
>
> On Mon, 2020-06-01 at 08:34 -0600, Bryan Wooten wrote:
>
> We are doing a POC with CAS 6. We are building using the war overlay. Are
> build is from the CAS 6 Master branch.
>
> I have a simple Java client app configured for SAML1.1. This app is
> running on the same Tomcat as CAS 6 itself. This is its JSON service
> registry entry:
>
> {
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
> "serviceId" : "^https://cas6test.go.utah.edu/.*";,
> "name" : "cas6dev-1IdmUtahEdu",
> "id" : 2020052801,
> "description" : "bryan.woo...@utah.edu",
> "logoutType" : "FRONT_CHANNEL",
> "attributeReleasePolicy" : {
> "@class" :
> "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes" : [ "java.util.ArrayList", [ "firstName",
> "lastName", "displayName", "email", "homephone", "department", "ou", "cn",
> "telephoneNumber", "acadplan", "almail", "eduPersonAffiliation", "uid",
> "eduPersonPrincipalName", "ummail", "unid", "uudept", "uuemployee",
> "uustudent","psrole" ] ]
> }
> }
>
> In the cas.log I see:
> allowedAttributes=[firstName, lastName, displayName, email, homephone,
> department, ou, cn, telephoneNumber, acadplan, almail,
> eduPersonAffiliation, uid, eduPersonPrincipalName, ummail, unid, uudept,
> uuemployee, uustudent, psrole]),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
> failureMode=UNDEFINED, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false,
> forceExecution=false, bypassTrustedDeviceEnabled=false, bypassPrincipa
>
> That looks good.
>
> But when the SAML assertion is built it doesn't include those attribute:
>
> Any ideas on what I am missing?
>
> <?xml version="1.0" encoding="UTF-8"?>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="
> http://schemas.xmlsoap.org/soap/envelope/";>
> <SOAP-ENV:Body>
> <saml1p:Response
> InResponseTo="_0f257af65322193bce619eb2d16895e7"
> IssueInstant="2020-06-01T13:54:43.797Z" MajorVersion="1"
> MinorVersion="1"
> ResponseID="_07a0fc4799c4445d58e12d00aa84603b"
> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
> <saml1p:Status>
> <saml1p:StatusCode Value="saml1p:Success"/>
> </saml1p:Status>
> <saml1:Assertion
> AssertionID="_c4f37a7ef71853b1fb8e472d6db12faf"
> IssueInstant="2020-06-01T13:54:43.797Z"
> Issuer="localhost" MajorVersion="1" MinorVersion="1"
> xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml1:Conditions NotBefore="2020-06-01T13:54:43.797Z"
> NotOnOrAfter="2020-06-01T13:55:13.797Z">
> <saml1:AudienceRestrictionCondition>
> <saml1:Audience>
> https://cas6test.go.utah.edu/attrrelease-1.0-SNAPSHOT/attrrelease
> </saml1:Audience>
> </saml1:AudienceRestrictionCondition>
> </saml1:Conditions>
> <saml1:AuthenticationStatement
> AuthenticationInstant="2020-06-01T13:54:48.138Z"
> AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:passwor
> d">
> <saml1:Subject>
>
> <saml1:NameIdentifier>u0519980</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> </saml1:AuthenticationStatement>
> <saml1:AttributeStatement>
> <saml1:Subject>
>
> <saml1:NameIdentifier>u0519980</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
>
> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> <saml1:Attribute AttributeName="credentialType"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>UsernamePasswordCredential</saml1:AttributeValue>
>
> <saml1:AttributeValue>DuoSecurityCredential</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
>
> AttributeName="samlAuthenticationStatementAuthMethod" AttributeNamespace="
> http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:password</saml1:AttributeValue>
>
> <saml1:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:unspecified</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="unid"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>u0519980</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="isFromNewLogin"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>true</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="bypassMultifactorAuthentication"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>false</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="authenticationDate"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>2020-06-01T13:54:48.138360Z</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="isFromNewLogin"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>true</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="bypassMultifactorAuthentication"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>false</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="authenticationDate"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>2020-06-01T13:54:48.138360Z</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="authenticationMethod"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>LdapAuthenticationHandler</saml1:AttributeValue>
>
> <saml1:AttributeValue>mfa-duo</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="authnContextClass"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>mfa-duo</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
> AttributeName="successfulAuthenticationHandlers"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
>
> <saml1:AttributeValue>LdapAuthenticationHandler</saml1:AttributeValue>
>
> <saml1:AttributeValue>mfa-duo</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute
>
> AttributeName="longTermAuthenticationRequestTokenUsed" AttributeNamespace="
> http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>false</saml1:AttributeValue>
> </saml1:Attribute>
> <saml1:Attribute AttributeName="cn"
> AttributeNamespace="http://www.ja-sig.org/products/cas/";>
> <saml1:AttributeValue>BRYAN
> WOOTEN</saml1:AttributeValue>
> </saml1:Attribute>
> </saml1:AttributeStatement>
> </saml1:Assertion>
>
> saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
>
> Thanks,
>
> Bryan (University of Utah)
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3871907ae6972d3ac437cf1afd9f052992664308.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3871907ae6972d3ac437cf1afd9f052992664308.camel%40uvic.ca?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GWmcmy0f%2BAnOfY%3DwFKg1XkogfX522%3DznQX-HCuS4RDFMQ%40mail.gmail.com.
