Re: [cas-user] CAS 6.1.7 attribute for person A released during Person B login

Wed, 19 Oct 2022 04:18:47 -0700 

Thanks Daniel.  I can confirm this attribute works correctly most of the 
time.  There have only been a few (very few) times that we have heard 
reports of this and I've configured our SIEM to monitor the logs looking 
for this in case it happens again.  On a subsequent login the user did not 
experience this mix-up.

This is what we are using for attribute release:  the UserPrincipalName 
worked correctly in this specific case, but the inline groovy pulled the 
uid of a different login that was happening at the same time.

"allowedAttributes" : { "@class" : "java.util.TreeMap", "UserPrincipalName" 
: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";, 
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": 
"groovy { return 'DOMAIN\\\\' + attributes['uid'][0] }" },


released:
principal=SimplePrincipal(id=PersonB, 
attributes={http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA],
 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[pers...@domain.example.edu]}),requiredAttributes={}]
On Tuesday, October 18, 2022 at 10:05:51 AM UTC-4 dfisher wrote:

> On Tue, Oct 18, 2022 at 8:58 AM Michael Daley <mjda...@ccri.edu> wrote:
>
>> CAS: 6.1.7  Hazelcast ticket storage, ldap auth and attribute storage, 
>> duo MFA
>>
>> Recently experienced and issue where an attribute for Person A was 
>> released during Person B session.
>>
>
>
> You can put org.ldaptive in DEBUG to confirm the LDAP search results are 
> what you expect.
>
> --Daniel Fisher
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a5a2560-9542-4813-89aa-ace2b06746a8n%40apereo.org.

Reply via email to