Working on a SAML integration where the subject needs to be the user's
email address but despite the changes I've made it still releases the
username attribute.
usernameAttributeProvider:
{
@class:
org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: userPrincipalName
}
...
requiredNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In cas.properties we are defining the attribute
cas.authn.attribute-repository.ldap[0].attributes.eduPersonPrincipalName=mail
I found it odd that the service manager is giving userPrincipalName as the
"username attribute" and not mail as mapped.
Looking at the attribute release in the response XML I see that the subject
is still the username and the mail attribute is populated.
<?xml
version="1.0"
encoding="UTF-8"?>
<saml2p:Response
Destination="https://sitedown.conncoll.edu/";
ID="_972320461405286400"
InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
IssueInstant="2023-10-23T17:39:07.378Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://casdev.conncoll.edu/idp
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="_1333994532661421056"
IssueInstant="2023-10-23T17:39:07.305Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://casdev.conncoll.edu/idp</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_1333994532661421056">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
gOBjXAhXqdT7adKVPNrxD43urSqJQgTtDjcj64Wa2NE=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CIuSEDbZ97Yf8VnnA774OXFgGQ0Qw9+HcZX8SnOWWcMT+zb5CUEh3hsKkSlQYr4PeRsn1AxxwpGKdIl9HWLjeF97zPMglpguDiyACsUHNtYGbcmlCIX9WQ+lEUIbrdDwP9c8F632INvPF6ACI9DTDSbLrzA2xJT44X2z4EFAAxJJVK/5MFAyWCopZTiMHsGv6CZ7FKSSjBdYe+zacyL7ZmT1LbFfgV1HK6SL9L3ChRCS5bcQ9vui9pOJ9aiD6Hf6rcO6HZcMuQPMCqNlQilSVVverSypwXv8qFdGYuzy+qiByyc+
xTjYR2NpBwECtttDMsZnfFfFxu91KusihOq2OA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>nsveLo/KHlchZAHX+dNks7YJSIhIK2xReT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRKVnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2Lw3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+
Mu8TuwfjnDA0w==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds11:DEREncodedKeyValue
xmlns:ds11="http://www.w3.org/2009/xmldsig11#";>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnsveLo/KHlchZAHX+dNks7YJSIhIK2xR
eT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26
wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRK
VnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2L
w3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+Mu8Tuwf
jnDA0wIDAQAB
</ds11:DEREncodedKeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://casdev.conncoll.edu/idp";
SPNameQualifier="https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/";>atilling
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="sitedown.conncoll.edu"
InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
NotOnOrAfter="2023-10-23T17:39:07.306Z"
Recipient="https://sitedown.conncoll.edu/"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2023-10-23T17:39:07.348Z"
NotOnOrAfter="2023-10-23T17:39:07.348Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2023-10-23T17:36:35.417Z"
SessionIndex="_1170437499088431104"
SessionNotOnOrAfter="2023-10-24T17:39:07.295Z">
<saml2:SubjectLocality
Address="136.244.218.11"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
FriendlyName="UserName"
Name="UserName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>atilling</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="mail"
Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="displayName"
Name="displayName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew P.
Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="cn"
Name="cn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew P.
Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="edupersonaffiliation"
Name="edupersonaffiliation"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>STAFF</saml2:AttributeValue>
<saml2:AttributeValue>EMPLOYEE</saml2:AttributeValue>
<saml2:AttributeValue>MEMBER</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="givenname"
Name="givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="departmentNumber"
Name="departmentNumber"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Information Services/Enterprise
Systems</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="memberof"
Name="memberof"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
cn=EIS,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=staff,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=100000-901010-Information Services - Office of VP,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Knowbe4,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Knowbe4PII,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=DB_Users,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=CWUserEdit,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=AS2-083267125839-StataLocal,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=MAPS_LDAP,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=webadministrator,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=bbadm,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Forti-Two Factor,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Druva_InSync_Clients,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=knowbe4staff,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=meraki-tech,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=WirelessSU,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=CWADMIN,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="sn"
Name="sn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Is there something I'm missing to get userPrincipalName/mail as the subject?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/855695d8-33bf-4858-a145-344fe91601a8n%40apereo.org.
