Joseph,
To see what the cas server is finding for attributes, use this logger:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
We also use map UDC_IDENTIFIER in the service definition. See,
https://apereo.github.io/cas/6.2.x/integration/Attribute-Release-Policies.html#return-mapped.
Ray
On Thu, 2021-01-28 at 07:03 -0800, Joseph Zhou wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi, folks,
We are having issue to migrate SP from an old CAS 3.5.2 to a new CAS 6.2.2
server.
In the old server 3.5.2, it was configured as:
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="6"/>
<property name="name" value="Banner XE"/>
<property name="description" value="CAS Client for Banner XE
Services"/>
<property name="serviceId"
value="^https://ban.*.wccnet.edu(:443)?/.*"/>
<property name="allowedAttributes">
<list>
<value>UDC_IDENTIFIER</value>
</list>
</property>
<property name="evaluationOrder" value="1050"/>
</bean>
On the new server 6.2.2 we tried different ways (no luck on any one), now it is:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://banner-dev.wccnet.edu/balancer-manager";,
"name": "CASbanfrontdev",
"id": 1010,
"evaluationOrder": 20,
"usernameAttributeProvider" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"usernameAttribute" : "username"
}
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", ["username"]]
}
}
When connecting to the old server, we got in the SP httpd log (the SP needs
username):
207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET
/balancer-manager?ticket=ST-235770-aDCGnkjkNkZDuaZ11w
1f-login.wccnet.edu HTTP/1.1" 302 234
"https://login.wccnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wc
cnet.edu%2fbalancer-manager" "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:78.0) Gecko/20100101 Firefox/78.0"
"-" - 443 banner-dev.wccnet.edu 0 43528 98087m -,-
207.73.128.2 - hpjozou [27/Jan/2021:17:23:08 -0500] "GET /balancer-manager
HTTP/1.1" 200 980 "https://login.wc
cnet.edu/cas/login?service=https%3a%2f%2fbanner-dev.wccnet.edu%2fbalancer-manager"
"Mozilla/5.0 (Windows NT 1
0.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0" "-" on 443
banner-dev.wccnet.edu 0 43528 877m -,-
On connecting to the new one, we got in the SP httpd log:
207.73.128.2 - - [27/Jan/2021:17:31:34 -0500] "GET /balancer-manager HTTP/1.1"
302 280 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" "-" - 443
banner-dev.wccnet.edu 0 43962 260m -,-
207.73.128.2 - - [27/Jan/2021:17:31:59 -0500] "GET
/balancer-manager?ticket=ST-1-mm7K5F-4Bu-nqhrLD-3DDcJiuws-cas2 HTTP/1.1" 401
381 "https://cas2.wccnet.edu/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36" "-"
- 443 banner-dev.wccnet.edu 0 43962 93523m -,-
Then, we ended up to Unauthorized in the SP page after CAS authentication going
through the new CAS.
Our questions:
- How could we make sure the username was responded to the SP?
- How could we see the xml file responded in the new CAS 6.2.2 server for CAS
2.0?
- How could we see the xml file responded in the SP httpd log?
Thank you very much for your help!
Joe
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c0de7bef25e0a8af289621c59082b9e9771aefd.camel%40uvic.ca.
