Did you map a service to a set of attributes in the Services Management tool? Other than the attributes not being retrieved from LDAP correctly, not selecting any attributes in the Services Management tool is the second most common error.
Cheers, Scott On Mon, Apr 4, 2011 at 4:49 PM, Dave <[email protected]> wrote: > Like some others on here I'm having a problem getting LDAP attributes > passed through on a SAML 1.1 response. I upgraded to CAS 3.4.7 so that I > could get the better Attribute map logging and I can see that my attributes > are being found. So let's get down to business. ANY help would be > appreciated! First my deployerConfigContext.xml: > > > <?xml version="1.0" encoding="UTF-8"?> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > > <bean id="eldapContextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="urls"> > <list> > <value>ldap://servername:389/</value> > </list> > </property> > <property name="userDn" > value="cn=iandeAdmin,ou=admins,ou=users,dc=oclc,dc=org"/> > <property name="password" value="d3v14nd3"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > <bean id="authenticationManager" > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> > <!-- The Principal resolver form the credentials --> > <property name="credentialsToPrincipalResolver"> > <bean > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/> > </property> > > <!-- The query made to find the Principal ID. "%u" will > be replaced by the resolved Principal --> > <property name="filter" value="(cn=%u)"/> > > <!-- The attribute used to define the new Principal ID > --> > <property name="principalAttributeName" value="cn"/> > <property name="searchBase" > value="ou=users,dc=company,dc=org"/> > <property name="contextSource" > ref="eldapContextSource"/> > > <property name="attributeRepository"> > <ref bean="attributeRepository"/> > </property> > </bean> > </list> > </property> > > <property name="authenticationHandlers"> > <list> > > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > > <bean > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > > <property name="filter" > value="cn=%u,ou=users,dc=company,dc=org" /> > <property name="contextSource" ref="eldapContextSource" > /> > </bean> > </list> > </property> > </bean> > > <sec:user-service id="userDetailsService"> > <sec:user name="casadmin" password="notused" > authorities="ROLE_ADMIN" /> > </sec:user-service> > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="contextSource" ref="eldapContextSource" /> > <property name="baseDN" value="ou=users,dc=company,dc=org" /> > <property name="requireAllQueryAttributes" value="true" /> > <property name="queryAttributeMapping"> > <map> > <entry key="username" value="cn" /> > </map> > </property> > > <property name="resultAttributeMapping"> > <map> > <entry key="cn" value="Name"/> > <entry key="businessCategory" value="businessCategory" /> > </map> > </property> > </bean> > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > <property name="registeredServices"> > <list> > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="0" /> > <property name="name" value="HTTP" /> > <property name="description" value="Only Allows HTTP > Urls" /> > <property name="serviceId" value="http://**"; /> > </bean> > > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="1" /> > <property name="name" value="HTTPS" /> > <property name="description" value="Only Allows HTTPS > Urls" /> > <property name="serviceId" value="https://**"; /> > </bean> > > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="2" /> > <property name="name" value="IMAPS" /> > <property name="description" value="Only Allows HTTPS > Urls" /> > <property name="serviceId" value="imaps://**" /> > </bean> > > <bean class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="3" /> > <property name="name" value="IMAP" /> > <property name="description" value="Only Allows IMAP > Urls" /> > <property name="serviceId" value="imap://**" /> > </bean> > </list> > </property> > </bean> > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > > </beans> > > > Next I turned up logging on org.jasig to DEBUG... below is a login attempt > > 2011-04-04 16:40:45,709 DEBUG > [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - > <Performing LDAP bind with credential: > cn=joesmith,ou=users,dc=company,dc=org> > 2011-04-04 16:40:45,726 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > joesmith]> > 2011-04-04 16:40:45,726 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Attempting to resolve a principal...> > 2011-04-04 16:40:45,726 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - <Attempting to resolve a principal...> > 2011-04-04 16:40:45,726 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - <Creating SimplePrincipal for [joesmith]> > 2011-04-04 16:40:45,729 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Resolved joesmith. Trying LDAP resolve now...> > 2011-04-04 16:40:45,729 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <LDAP search with filter "(cn=joesmith)"> > 2011-04-04 16:40:45,729 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <returning searchcontrols: scope=2; search > base=ou=users,dc=company,dc=org; attributes=[cn]; timeout=1000> > 2011-04-04 16:40:45,753 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Resolved joesmith to joesmith> > 2011-04-04 16:40:45,754 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Creating SimplePrincipal for [joesmith]> > 2011-04-04 16:40:45,754 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - > <Created seed map='{username=[joesmith]}' for uid='joesmith'> > 2011-04-04 16:40:45,754 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - <Adding > attribute 'cn' with value '[joesmith]' to query builder 'null'> > 2011-04-04 16:40:45,760 DEBUG > [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - > <Generated query builder '(cn=joesmith)' from query Map > {username=[joesmith]}.> > 2011-04-04 16:40:45,800 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved > principal joesmith> > 2011-04-04 16:40:45,800 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Principal found: > joesmith> > 2011-04-04 16:40:45,801 DEBUG > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map > for joesmith: {Name=joesmith, [email protected], > businessCategory=User Support Center}> > 2011-04-04 16:40:45,804 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: joesmith] > WHAT: supplied credentials: [username: joesmith] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Apr 04 16:40:45 EDT 2011 > CLIENT IP ADDRESS: 255.255.20.129 > SERVER IP ADDRESS: unknown > ============================================================= > > > > 2011-04-04 16:40:45,810 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] to registry.> > 2011-04-04 16:40:45,810 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: joesmith] > WHAT: TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Mon Apr 04 16:40:45 EDT 2011 > CLIENT IP ADDRESS: 255.255.20.129 > SERVER IP ADDRESS: unknown > ============================================================= > > > > 2011-04-04 16:40:45,811 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed > cookie with name [CASPRIVACY]> > 2011-04-04 16:40:45,813 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie > with name [CASTGC] and value > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> > 2011-04-04 16:40:45,815 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> > 2011-04-04 16:40:45,816 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] found in > registry.> > 2011-04-04 16:40:45,818 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [ST-1-9fpUPGgSHremFvW70x7C-cas] to registry.> > 2011-04-04 16:40:45,819 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-1-9fpUPGgSHremFvW70x7C-cas] for service [ > http://wwwdev.ent.company.org/support/webscale/cas] for user [joesmith]> > 2011-04-04 16:40:45,819 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas]> > 2011-04-04 16:40:45,819 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [TGT-1-NzEeJG13cc5HBRtkoZBX3T0tffq7g6EShDZdAV3RgFBRYtmUAp-cas] found in > registry.> > 2011-04-04 16:40:45,819 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: joesmith > WHAT: ST-1-9fpUPGgSHremFvW70x7C-cas for > http://wwwdev.ent.company.org/support/webscale/cas > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Mon Apr 04 16:40:45 EDT 2011 > CLIENT IP ADDRESS: 255.255.20.129 > SERVER IP ADDRESS: unknown > ============================================================= > > > > 2011-04-04 16:40:46,252 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - <Attempted to extract > Request from HttpServletRequest. Results:> > 2011-04-04 16:40:46,252 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - <Request Body: > <SOAP-ENV:Envelope xmlns:SOAP-ENV=" > http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" > MinorVersion="1" RequestID="_255.255.16.51.1024506224022" > IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-1-9fpUPGgSHremFvW70x7C-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>> > 2011-04-04 16:40:46,253 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - <Extracted > ArtifactId: ST-1-9fpUPGgSHremFvW70x7C-cas> > 2011-04-04 16:40:46,253 DEBUG > [org.jasig.cas.authentication.principal.SamlService] - <Extracted Request > Id: _255.255.16.51.1024506224022> > 2011-04-04 16:40:46,253 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor generated > service for: http://wwwdev.ent.company.org/support/webscale/cas> > 2011-04-04 16:40:46,257 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket [ST-1-9fpUPGgSHremFvW70x7C-cas]> > 2011-04-04 16:40:46,257 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [ST-1-9fpUPGgSHremFvW70x7C-cas] found in registry.> > 2011-04-04 16:40:46,260 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > [ST-1-9fpUPGgSHremFvW70x7C-cas] from registry> > 2011-04-04 16:40:46,260 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket [ST-1-9fpUPGgSHremFvW70x7C-cas]> > 2011-04-04 16:40:46,261 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: ST-1-9fpUPGgSHremFvW70x7C-cas > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Mon Apr 04 16:40:46 EDT 2011 > CLIENT IP ADDRESS: 255.255.113.28 > SERVER IP ADDRESS: unknown > ============================================================= > > > > 2011-04-04 16:40:46,280 DEBUG [org.jasig.cas.web.ServiceValidateController] > - <Successfully validated service ticket: ST-1-9fpUPGgSHremFvW70x7C-cas> > > finally Here is the SAML response on the client side: > > > <?xml version="1.0" encoding="UTF-8"?> > <SOAP-ENV:Envelope xmlns:SOAP-ENV=" > http://schemas.xmlsoap.org/soap/envelope/";> > <SOAP-ENV:Header/> > <SOAP-ENV:Body> > <Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"; > IssueInstant="2011-04-04T20:45:41.801Z" MajorVersion="1" MinorVersion="1" > Recipient="http://wwwdev.ent.company.org/support/webscale/cas"; > ResponseID="_946d488040a9ba7a01342735b9f108cf"> > <Status> > <StatusCode Value="samlp:Success"/> > </Status> > <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > AssertionID="_e176ba8ec0838077df72ebed25c032ca" > IssueInstant="2011-04-04T20:45:41.801Z" Issuer="localhost" MajorVersion="1" > MinorVersion="1"> > <Conditions NotBefore="2011-04-04T20:45:41.801Z" > NotOnOrAfter="2011-04-04T20:46:11.801Z"> > <AudienceRestrictionCondition> > <Audience>http://wwwdev.ent.company.org/support/webscale/cas > </Audience> > </AudienceRestrictionCondition> > </Conditions> > <AuthenticationStatement > AuthenticationInstant="2011-04-04T20:45:41.350Z" > AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> > <Subject> > <NameIdentifier>joesmith</NameIdentifier> > <SubjectConfirmation> > > > <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod> > </SubjectConfirmation> > </Subject> > </AuthenticationStatement> > </Assertion> > </Response> > </SOAP-ENV:Body> > </SOAP-ENV:Envelope> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
