Posting follow-up in the hopes this may help other people. I spent more time debugging and was finally able to get it to behave by setting cas.person-directory.principal-resolution-conflict-strategy=first (default is last). This allows the principal ID to be overridden by an attribute during attribute resolution.
What I don't fully understand is delegate authentication took place first, and attribute resolution via REST took place thereafter. But while executing the strategy to resolve the multiple principals, the principal object returned by delegate authentication is actually second in the list, while the attribute resolution principal is first in the list. This is totally counterintuitive -- I'm still trying to pinpoint how this happened and decide whether there is a bug somewhere. The property above at least let me overcome this counterintuitive behavior and achieve what I want. Chia-Ying On Thursday, July 29, 2021 at 11:58:27 AM UTC-4 Chia-Ying Yang wrote: > I've configured CAS with authentication delegation (Pac4J Google) + > attribute resolution (REST) + interrupt notification (REST). > > My attribute resolution REST endpoint translates the principal ID > returned from delegated authentication (of the format > org.pac4j.oauth.profile.google2.Google2Profile#[number], as I have > cas.authn.pac4j.core.typed-id-used=true) and returns it as an attribute > "principal", and together with the > cas.person-directory.principal-attribute=principal setting, this > principal ID then becomes the user's "final" principal ID. > > In 5.3.x, the "final" principal ID is then being used to call the > interrupt notification REST endpoint. This is what I expect. > > In 6.3.x / 6.4.x however, the original principal ID > org.pac4j.oauth.profile.google2.Google2Profile#[number] is being used to > call the interrupt notification REST endpoint. Is this an intentional > change or is this a possible bug? > > Thanks, > > Chia-Ying > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5f0dccf-d059-491c-a330-2cf38a61726en%40apereo.org.
