Scott, that goes right along the lines with what we had expected, needing to get the ldap attributes into cas somehow, and then being able to pass that to saml.
Not being up to speed on Java, could you kindly give us another hint as to where to start looking for getting more attributes from ldap ? Looks like there are quite a few hits in the wiki for it, but is there a good place to start ? (Apologies for being a pest :-) ) Btw, I'm amazed at how useful and fast the replies on this list are! Thanks so much to all of you. Johan ----- Original Message ----- From: Scott Battaglia To: [email protected] Sent: Wednesday, February 25, 2009 8:50 PM Subject: Re: [cas-user] newbie question: Google Apps, MS-AD and other attribute It reads the principal id you use for Single Sign On (no surprise there, since it is a single sign on server ;-)). If you want to change that behavior, you'd have to: a. get the mail attribute stored as an attribute on the Principal (see any of the CredentialsToPrincipalResolvers) b. modify the GoogleAccountsService to read that attribute instead of just getting the Principal id. -Scott On Wed, Feb 25, 2009 at 6:30 PM, Johan Reinalda <[email protected]> wrote: All, We are implementing a demo CAS environment, to see how it would work serving as an SSO platform for our web apps. We are traditionally a Asp/Asp.net windows environment, with additional experience in unix/linux with php and perl, but learning java (hopefully) as we go... So far, we have a basic setup working, talking to MS Active Directory as the account store, using the Fastbind example in the wiki (http://www.ja-sig.org/wiki/display/CASUM/Active+Directory). We have a drupal install authenticating to it as quick test app that talks CAS. Now, we are trying to get this working with GoogleApps, and we have created a test domain at GApps for that. Integration works, but is using the username of the object (sAMAccountName attribute in AD terms) What we will need is to use the email address, as stored in the "mail" attribute. Digging around the maillist archives, it looks like this is possible (http://www.nabble.com/Adding-data-to-SAML-response-(was-Passing-Google-apps-alternate-username)-to19446161.html#a19446161). Looking at CAS3.3.1 source, in cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java we see in line 163/164 samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal() .getId()); This seems to be the code that assigns the username to the SAML response, but we have no idea how to go from here :-( (ie how to get it to read the mail attribute and assign it here.) Any suggestions would be much appreciated. For completeness, this is runnin on CentOS5.2, Tomcat 6.0.18, CAS-Server 3.3.1 Thanks in advance! Johan Reinalda Thunderbird School of Global Management Glendale, AZ, USA -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
