Dear Daniel, we "solve" using a AuthenticationMetaDataPopulator instead of groovy script as suggested by our partner Tirasa.
Regards, *Baldassare Agosta* *○●○●* *Università degli Studi Firenze* Area per l'Innovazione e Gestione dei Sistemi Informativi ed Informatici SIAF - Coordinamento tecnico applicativi Piazza Ugo di Toscana, 5 - Edificio D15 - Campus Novoli Tel. +39 055 275*9103* www.siaf.unifi.it Il giorno mer 22 mar 2023 alle ore 21:08 Daniel Daher <[email protected]> ha scritto: > Hi, I have the same problem as you and practically the same environment. > > Did you find the problem? Were you able to fix it in some way? > > El miércoles, 19 de octubre de 2022 a las 12:18:43 UTC+1, Michael Daley > escribió: > >> Thanks Daniel. I can confirm this attribute works correctly most of the >> time. There have only been a few (very few) times that we have heard >> reports of this and I've configured our SIEM to monitor the logs looking >> for this in case it happens again. On a subsequent login the user did not >> experience this mix-up. >> >> This is what we are using for attribute release: the UserPrincipalName >> worked correctly in this specific case, but the inline groovy pulled the >> uid of a different login that was happening at the same time. >> >> "allowedAttributes" : { "@class" : "java.util.TreeMap", >> "UserPrincipalName" : " >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";, " >> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": >> "groovy { return 'DOMAIN\\\\' + attributes['uid'][0] }" }, >> >> >> released: >> principal=SimplePrincipal(id=PersonB, attributes={ >> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA], >> >> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[[email protected]]} >> <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=%[email protected]%5D%7D> >> ),requiredAttributes={}] >> On Tuesday, October 18, 2022 at 10:05:51 AM UTC-4 dfisher wrote: >> >>> On Tue, Oct 18, 2022 at 8:58 AM Michael Daley <[email protected]> wrote: >>> >>>> CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage, >>>> duo MFA >>>> >>>> Recently experienced and issue where an attribute for Person A was >>>> released during Person B session. >>>> >>> >>> >>> You can put org.ldaptive in DEBUG to confirm the LDAP search results are >>> what you expect. >>> >>> --Daniel Fisher >>> >>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/20b8c1c2-7818-4729-b40a-049ece9e499en%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/20b8c1c2-7818-4729-b40a-049ece9e499en%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANrOrDzKc0GQZ0U4JdR5WaMd2N0a8DO0FziOOCLvRig9um5Uww%40mail.gmail.com.
