Like some others on here I'm having a problem getting LDAP attributes passed through on a SAML 1.1 response. I upgraded to CAS 3.4.7 so that I could get the better Attribute map logging and I can see that my attributes are being found. So let's get down to business. ANY help would be appreciated! First my deployerConfigContext.xml:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <bean id="eldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="false"/> <property name="urls"> <list> <value>ldap://servername:389/</value> </list> </property> <property name="userDn" value="cn=iandeAdmin,ou=admins,ou=users,dc=oclc,dc=org"/> <property name="password" value="d3v14nd3"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> </property> <!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal --> <property name="filter" value="(cn=%u)"/> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="cn"/> <property name="searchBase" value="ou=users,dc=company,dc=org"/> <property name="contextSource" ref="eldapContextSource"/> <property name="attributeRepository"> <ref bean="attributeRepository"/> </property> </bean> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > <property name="filter" value="cn=%u,ou=users,dc=company,dc=org" /> <property name="contextSource" ref="eldapContextSource" /> </bean> </list> </property> </bean> <sec:user-service id="userDetailsService"> <sec:user name="casadmin" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="eldapContextSource" /> <property name="baseDN" value="ou=users,dc=company,dc=org" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="cn" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="cn" value="Name"/> <entry key="businessCategory" value="businessCategory" /> </map> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTP" /> <property name="description" value="Only Allows HTTP Urls" /> <property name="serviceId" value="http://**"; /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1" /> <property name="name" value="HTTPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="https://**"; /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2" /> <property name="name" value="IMAPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="imaps://**" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="3" /> <property name="name" value="IMAP" /> <property name="description" value="Only Allows IMAP Urls" /> <property name="serviceId" value="imap://**" /> </bean> </list> </property> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> </beans> Next I turned up logging on org.jasig to DEBUG... below is a login attempt 2011-04-04 16:40:45,709 DEBUG [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - <Performing LDAP bind with credential: cn=joesmith,ou=users,dc=company,dc=org> 2011-04-04 16:40:45,726 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: joesmith]> 2011-04-04 16:40:45,726 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Attempting to resolve a principal...> 2011-04-04 16:40:45,726 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2011-04-04 16:40:45,726 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [joesmith]> 2011-04-04 16:40:45,729 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved joesmith. Trying LDAP resolve now...> 2011-04-04 16:40:45,729 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <LDAP search with filter "(cn=joesmith)"> 2011-04-04 16:40:45,729 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <returning searchcontrols: scope=2; search base=ou=users,dc=company,dc=org; attributes=[cn]; timeout=1000> 2011-04-04 16:40:45,753 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved joesmith to joesmith> 2011-04-04 16:40:45,754 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Creating SimplePrincipal for [joesmith]> 2011-04-04 16:40:45,754 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Created seed map='{username=[joesmith]}' for uid='joesmith'> 2011-04-04 16:40:45,754 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Adding attribute 'cn' with value '[joesmith]' to query builder 'null'> 2011-04-04 16:40:45,760 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Generated query builder '(cn=joesmith)' from query Map {username=[joesmith]}.> 2011-04-04 16:40:45,800 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal joesmith> 2011-04-04 16:40:45,800 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Principal found: joesmith> 2011-04-04 16:40:45,801 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for joesmith: {Name=joesmith, [email protected], businessCategory=User Support Center}> 2011-04-04 16:40:45,804 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: joesmith] WHAT: supplied credentials: [username: joesmith] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Apr 04 16:40:45 EDT 2011 CLIENT IP ADDRESS: 255.255.20.129 SERVER IP ADDRESS: unknown ============================================================= > 2011-04-04 16:40:45,810 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] to registry.> 2011-04-04 16:40:45,810 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: joesmith] WHAT: TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 04 16:40:45 EDT 2011 CLIENT IP ADDRESS: 255.255.20.129 SERVER IP ADDRESS: unknown ============================================================= > 2011-04-04 16:40:45,811 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed cookie with name [CASPRIVACY]> 2011-04-04 16:40:45,813 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> 2011-04-04 16:40:45,815 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> 2011-04-04 16:40:45,816 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] found in registry.> 2011-04-04 16:40:45,818 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-1-9fpUPGgSHremFvW70x7C-cas] to registry.> 2011-04-04 16:40:45,819 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-9fpUPGgSHremFvW70x7C-cas] for service [http://wwwdev.ent.company.org/support/webscale/cas] for user [joesmith]> 2011-04-04 16:40:45,819 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> 2011-04-04 16:40:45,819 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] found in registry.> 2011-04-04 16:40:45,819 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: joesmith WHAT: ST-1-9fpUPGgSHremFvW70x7C-cas for http://wwwdev.ent.company.org/support/webscale/cas ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 04 16:40:45 EDT 2011 CLIENT IP ADDRESS: 255.255.20.129 SERVER IP ADDRESS: unknown ============================================================= > 2011-04-04 16:40:46,252 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Attempted to extract Request from HttpServletRequest. Results:> 2011-04-04 16:40:46,252 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Request Body: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" RequestID="_255.255.16.51.1024506224022" IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-9fpUPGgSHremFvW70x7C-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> 2011-04-04 16:40:46,253 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted ArtifactId: ST-1-9fpUPGgSHremFvW70x7C-cas> 2011-04-04 16:40:46,253 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request Id: _255.255.16.51.1024506224022> 2011-04-04 16:40:46,253 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated service for: http://wwwdev.ent.company.org/support/webscale/cas> 2011-04-04 16:40:46,257 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-1-9fpUPGgSHremFvW70x7C-cas]> 2011-04-04 16:40:46,257 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-1-9fpUPGgSHremFvW70x7C-cas] found in registry.> 2011-04-04 16:40:46,260 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-1-9fpUPGgSHremFvW70x7C-cas] from registry> 2011-04-04 16:40:46,260 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-1-9fpUPGgSHremFvW70x7C-cas]> 2011-04-04 16:40:46,261 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-1-9fpUPGgSHremFvW70x7C-cas ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Apr 04 16:40:46 EDT 2011 CLIENT IP ADDRESS: 255.255.113.28 SERVER IP ADDRESS: unknown ============================================================= > 2011-04-04 16:40:46,280 DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated service ticket: ST-1-9fpUPGgSHremFvW70x7C-cas> finally Here is the SAML response on the client side: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";> <SOAP-ENV:Header/> <SOAP-ENV:Body> <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; IssueInstant="2011-04-04T20:45:41.801Z" MajorVersion="1" MinorVersion="1" Recipient="http://wwwdev.ent.company.org/support/webscale/cas"; ResponseID="_946d488040a9ba7a01342735b9f108cf"> <Status> <StatusCode Value="samlp:Success"/> </Status> <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_e176ba8ec0838077df72ebed25c032ca" IssueInstant="2011-04-04T20:45:41.801Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"> <Conditions NotBefore="2011-04-04T20:45:41.801Z" NotOnOrAfter="2011-04-04T20:46:11.801Z"> <AudienceRestrictionCondition> <Audience>http://wwwdev.ent.company.org/support/webscale/cas</Audience> </AudienceRestrictionCondition> </Conditions> <AuthenticationStatement AuthenticationInstant="2011-04-04T20:45:41.350Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <Subject> <NameIdentifier>joesmith</NameIdentifier> <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod> </SubjectConfirmation> </Subject> </AuthenticationStatement> </Assertion> </Response> </SOAP-ENV:Body> </SOAP-ENV:Envelope> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
