Hi Ray,
im a little bit late with my feedback, but now the surrogate authentication
works fine with the attributeRepository-Part from your last message.
Thank you very much!
Greetings and a happy new year :)
Ray Bon schrieb am Freitag, 27. November 2020 um 17:18:11 UTC+1:
> Marcel,
>
> I have not implemented the surrogate feature so my understanding may be
> off, but I think what gets sent to the service is all about the surrogate.
> Since the surrogate is not authenticating, it has no access to
> authentication attributes.
> Additional attributes can be extracted from ldap (after authentication),
> these I hope would be for the surrogate ({user}, below). Image the scenario
> where the surrogates were in a different ou than authenticating user.
>
> I had intended to include this in my last email (sorry if it caused
> confusion):
>
> cas.authn.attributeRepository.ldap[0].id=people
> cas.authn.attributeRepository.ldap[0].order=1
> cas.authn.attributeRepository.ldap[0].attributes.mail=mail
> cas.authn.attributeRepository.ldap[0].attributes.cn=cn
> cas.authn.attributeRepository.ldap[0].attributes.sn=sn
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://
> ldaplocal.uvic.ca:636
> cas.authn.attributeRepository.ldap[0].connectTimeout=PT3S
> cas.authn.attributeRepository.ldap[0].baseDn=ou=people,dc=uvic,dc=ca
> cas.authn.attributeRepository.ldap[0].subtreeSearch=true
> cas.authn.attributeRepository.ldap[0].searchFilter=uid={user}
> cas.authn.attributeRepository.ldap[0]..bindDn=cn=Auth
> Manager,ou=administrators,dc=uvic,dc=ca
> cas.authn.attributeRepository.ldap[0].bindCredential=
>
> Ray
>
> On Fri, 2020-11-27 at 00:17 -0800, Marcel Fromkorth wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello,
>
> well, maybe you didnt get me right. I want to resolve the attributes on
> authentication over ldap. This works fine for a normal authentication, but
> if I want to make an surrogate authentication like
> "surrogateUser+primaryUser", the primary user principal has all ldap
> attributes and the surrogate user principal has none. So I want that the
> surrogate user principal has also the ldap attributes form the surrogate
> user. So there is only one data source(LDAP for primary and surrogate
> user). For this I found:
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution
>
> but i tried something around with this configuration options. No success so
> far.
>
> So the ldap attributes shouldnt get into the principal after the
> authentication. They should be while authentication. I think that i need to
> configure the principal resolution right.. but i dont know how. On the site
> i found this subtext: "Principal resolution and Person Directory settings
> for this feature are available here
> <https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution>
>
> under the configuration key cas.authn.surrogate.principal." which
> redirects you to the link above.
>
>
>
> Ray Bon schrieb am Donnerstag, 26. November 2020 um 18:00:28 UTC+1:
>
> Marcel,
>
> principalAttributeList is for resolving attributes on authentication. If
> you want to retrieve attributes after the fact or perhaps from a different
> data source,
>
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-attributes
>
> Ray
>
> On Thu, 2020-11-26 at 07:06 -0800, Marcel Fromkorth wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
>
> Hello,
>
> I'm trying to configure the surrogate authentication support over ldap
> authentication.
> All this happens on CAS Version 6.2.5.
>
> The problem is, that the surrogate user principal has no attributes, which
> should be mapped from ldap. I want, that the surrogateUser principal will
> get his ldap attributes. For the primary user it works fine.
>
> I only got: *Surrogate access is denied. The principal does not have the
> required attributes [{attributes=[testAttribute]}] *-> which are defined
> in the service at "surrogateRequiredAttributes".
>
> In the Debug logs i could see this:
>
> *<Found surrogate principal [SimplePrincipal(id=testuser, attributes={})]>*
>
> Some logs earlier i can see, that the ldap user for surrogate is found
> sucessfully and all needed attributes exists. -> so i think, that something
> with the principal resolution doesnt work.
>
> here an snippet of my cas.properties:
>
>
>
>
> *cas.authn.surrogate.ldap.searchFilter=uid:caseExactMatch:={user}
> cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate}
>
> cas.authn.surrogate.principal.attribute-resolution-enabled=true
> cas.authn.surrogate.principal.principal-attribute=attributes*
>
> I switched the accessStrategy in my services to
> *SurrogateRegisteredServiceAccessStrategy*.
>
> So.. i dont know, why the attributes of the surrogate user wont mapped
> into the surrogate user principal. For the primary user it works fine(by
> the primary user I used *cas.authn.ldap[0].principalAttributeList*=attributes
>
> --> works fine).
>
> But in the documentation, it seems that there only exists the attribute "
> *principal-attribute*" for this type of setting.
>
> Can someone help me here?
>
> Greetings and thank you.
>
>
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0ea5732-c675-4e71-8a43-8e49a2549243n%40apereo.org.
