Thanks Daniel. I can confirm this attribute works correctly most of the
time. There have only been a few (very few) times that we have heard
reports of this and I've configured our SIEM to monitor the logs looking
for this in case it happens again. On a subsequent login the user did not
experience this mix-up.
This is what we are using for attribute release: the UserPrincipalName
worked correctly in this specific case, but the inline groovy pulled the
uid of a different login that was happening at the same time.
"allowedAttributes" : { "@class" : "java.util.TreeMap", "UserPrincipalName"
: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname":
"groovy { return 'DOMAIN\\\\' + attributes['uid'][0] }" },
released:
principal=SimplePrincipal(id=PersonB,
attributes={http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA],
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[[email protected]]}),requiredAttributes={}]
On Tuesday, October 18, 2022 at 10:05:51 AM UTC-4 dfisher wrote:
> On Tue, Oct 18, 2022 at 8:58 AM Michael Daley <[email protected]> wrote:
>
>> CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage,
>> duo MFA
>>
>> Recently experienced and issue where an attribute for Person A was
>> released during Person B session.
>>
>
>
> You can put org.ldaptive in DEBUG to confirm the LDAP search results are
> what you expect.
>
> --Daniel Fisher
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a5a2560-9542-4813-89aa-ace2b06746a8n%40apereo.org.
