Dear Daniel,
we "solve" using a AuthenticationMetaDataPopulator instead of groovy
script as suggested by our partner Tirasa.
Regards,
*Baldassare Agosta*
*○●○●*
*Università degli Studi Firenze*
Area per l'Innovazione e Gestione dei Sistemi Informativi ed Informatici
SIAF - Coordinamento tecnico applicativi
Piazza Ugo di Toscana, 5 - Edificio D15 - Campus Novoli
Tel. +39 055 275*9103*
www.siaf.unifi.it
Il giorno mer 22 mar 2023 alle ore 21:08 Daniel Daher <dah3...@gmail.com>
ha scritto:
> Hi, I have the same problem as you and practically the same environment.
>
> Did you find the problem? Were you able to fix it in some way?
>
> El miércoles, 19 de octubre de 2022 a las 12:18:43 UTC+1, Michael Daley
> escribió:
>
>> Thanks Daniel. I can confirm this attribute works correctly most of the
>> time. There have only been a few (very few) times that we have heard
>> reports of this and I've configured our SIEM to monitor the logs looking
>> for this in case it happens again. On a subsequent login the user did not
>> experience this mix-up.
>>
>> This is what we are using for attribute release: the UserPrincipalName
>> worked correctly in this specific case, but the inline groovy pulled the
>> uid of a different login that was happening at the same time.
>>
>> "allowedAttributes" : { "@class" : "java.util.TreeMap",
>> "UserPrincipalName" : "
>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn";, "
>> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname":
>> "groovy { return 'DOMAIN\\\\' + attributes['uid'][0] }" },
>>
>>
>> released:
>> principal=SimplePrincipal(id=PersonB, attributes={
>> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=[DOMAIN\PersonA],
>>
>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[per...@domain.example.edu]}
>> <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=%5bpers...@domain.example.edu%5D%7D>
>> ),requiredAttributes={}]
>> On Tuesday, October 18, 2022 at 10:05:51 AM UTC-4 dfisher wrote:
>>
>>> On Tue, Oct 18, 2022 at 8:58 AM Michael Daley <mjda...@ccri.edu> wrote:
>>>
>>>> CAS: 6.1.7 Hazelcast ticket storage, ldap auth and attribute storage,
>>>> duo MFA
>>>>
>>>> Recently experienced and issue where an attribute for Person A was
>>>> released during Person B session.
>>>>
>>>
>>>
>>> You can put org.ldaptive in DEBUG to confirm the LDAP search results are
>>> what you expect.
>>>
>>> --Daniel Fisher
>>>
>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20b8c1c2-7818-4729-b40a-049ece9e499en%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/20b8c1c2-7818-4729-b40a-049ece9e499en%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANrOrDzKc0GQZ0U4JdR5WaMd2N0a8DO0FziOOCLvRig9um5Uww%40mail.gmail.com.
