I finally managed to get this working. Perhaps the solution was too basic to warrant a general response, but for the benefit of those who may be similarly stumped in the future, this is the "CAS for Dummies" version of what I think I've learned.
An app must request.getUserPrincipal(). The script referenced by laura below does this, as does the Saml11TicketValidationFilter example <Saml11TicketValidationFilter+Example://wiki.jasig.org/display/CASC/> Simply testing with the server's /cas/login servlet isn't sufficient. Then, as Laura and the documentation notes, specific attributes to be released are configured via the Services Manager. This differs from some other software, such as the Shibboleth IdP, which resolves the attributes regardless, then filters the set of allowable attributes for a given service provider. These actions are visible via Shib's logs. Aloha, -baron -- Baron Fujimoto <[email protected]> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum On Fri, Jun 01, 2012 at 01:34:41PM -0500, Laura McCord wrote: : When I setup my attributes I was getting the same exact thing in my : logs as you were. There wasn't anything in the logs that showed me : the values of the other mapped attributes, maybe this differs on how : other people have their logs set up, but in my case I was blind to : it. : : It wasn't until I went to the services manager and chose the SSO : application that I wanted to expose the attributes to, highlighted : the attributes from the GUI that I started seeing the attributes : from the client side (the actual "cas-ified" application). Since my : "cas-ified" application is a php app, I used Joachim's script to : view my attributes: https://github.com/Jasig/phpCAS/blob/master/docs/examples/example_advanced_saml11.php : : Hope this helps, : Laura : : On 6/1/12 1:15 PM, Baron Fujimoto wrote: : >Anyone? Is there more information I could provide that might help? : >Does another app need to explicitly request the attributes before : >they are resolved and mapped? : > : >-baron : > : >On Wed, May 30, 2012 at 05:32:55PM -1000, Baron Fujimoto wrote: : >: I've seen this topic come up a few times recently, but I'm afraid I'm : >: still not sure what, if anything, I'm doing wrong. : >: : >: I've set up CAS server 3.4.11 can can successfully authenticate against : >: our LDAP. I'm now trying to set up/test attribute release using this : >: wiki page as a reference: : >: : >:<https://wiki.jasig.org/display/CASUM/Attributes> : >: : >: I have the following defined in deployerConfigContext.xml: : >: : >:<bean id="attributeRepository" : >: class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> : >:<property name="contextSource" ref="contextSource" /> : >:<property name="baseDN" value="ou=people,dc=hawaii,dc=edu" /> : >:<property name="requireAllQueryAttributes" value="true" /> : >: : >:<!-- : >: Attribute mapping beetween principal (key) and LDAP (value) names : >: used to perform the LDAP search. By default, multiple search criteria : >: are ANDed together. Set the queryType property to change to OR. : >: --> : >:<property name="queryAttributeMapping"> : >:<map> : >:<entry key="username" value="uid" /> : >:</map> : >:</property> : >: : >:<property name="resultAttributeMapping"> : >:<map> : >:<!-- Mapping between LDAP entry attributes (key) and Principal's (value) --> : >:<entry key="cn" value="fullName"/> : >:<entry key="uhUuid" value="uhNumber"/> : >:<entry key="eduPersonAffiliation" value="uhAffiliation"/> : >:<entry key="eduPersonOrgDN" value="uhOrg"/> : >:<entry key="uhOrgAffiliation" value="uhOrgAffiliation"/> : >:</map> : >:</property> : >:</bean> : >: : >: If I login with the .../cas/login servlet, I see the following in the log: : >: : >: 2012-05-30 17:22:31,472 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: baron] : >: 2012-05-30 17:22:31,577 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[baron]}' for uid='baron' : >: 2012-05-30 17:22:31,577 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[baron]}' for uid='baron' : >: 2012-05-30 17:22:31,578 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding attribute 'uid' with value '[baron]' to query builder 'null' : >: 2012-05-30 17:22:31,578 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding attribute 'uid' with value '[baron]' to query builder 'null' : >: 2012-05-30 17:22:31,580 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Generated query builder '(uid=baron)' from query Map {username=[baron]}. : >: 2012-05-30 17:22:31,580 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Generated query builder '(uid=baron)' from query Map {username=[baron]}. : >: 2012-05-30 17:22:31,688 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal baron : >: 2012-05-30 17:22:31,688 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: baron : >: : >: I don't see any any indications that it's retrieving or mapping the : >: attributes configured above. Should I? I don't see any errors either : >: though, so I'm probably missing something more basic. : >: : >: (I'm also not sure why I'm seeing repeated log entries for : >: org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao. : >: : >:<logger name="org.jasig.services.persondir"> : >:<level value="DEBUG" /> : >:<appender-ref ref="cas" /> : >:</logger> : >: : >: is the only DEBUG I've set in log4j.xml. It would be nice to clean that : >: up too.) : : -- : : Laura McCord : Web Programmer/Analyst : Southwestern University : [email protected] <mailto:[email protected]> : -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
