Hi Folks, Third time setting up environment to have attributes added in to response for phpCAS SAML sample to pick up. This time I see CAS making requests for the attributes to the LDap server and a response getting back to CAS by sniffing the wire. Those attributes do not appear to get to the phpCAS side according to the response it gets:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2013-06-01T12:29:50.514Z" MajorVersion="1" MinorVersion="1" Recipient="http://localhost/CAS/indexsaml.php"; ResponseID="_d73aabce459ad4affe93977e195e8703"><saml1p:Status><saml1p:StatusCode Value="saml1p:Success"/></saml1p:Status><saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_07991f7adfd9eaeca260f908490d6256" IssueInstant="2013-06-01T12:29:50.514Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions NotBefore="2013-06-01T12:29:50.514Z" NotOnOrAfter="2013-06-01T12:30:20.514Z"><saml1:AudienceRestrictionCondition><saml1:Audience>http://localhost/CAS/indexsaml.php</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement AuthenticationInstant="2013-06-01T12:29:50.310Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>[email protected]</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope> In casServiceValidationSuccess.jsp I have tried both: <cas:attributes> <c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}" varStatus="loopStatus" begin="0" end="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)-1}" step="1"> <%-- Produce output exactly as CAS client code expects it: <cas:attrName>attrValue</cas:attrName> --%> <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}> </c:forEach> </cas:attributes> and: <c:forEach var="auth" items="${assertion.chainedAuthentications}"> <c:forEach var="attr" items="${auth.principal.attributes}" > <cas:attribute name="${fn:escapeXml(attr.key)}" value="${fn:escapeXml(attr.value)}"/> </c:forEach> </c:forEach> Sorry that I am not proficient at Java. I would appreciate if anyone can help out explaining where I am going wrong. I would also like to know what I can do to turn up the logging. the catalina.out currently shows everything is ok with no exceptions. I have attached my latest deployConfigContext.xml file with some obfuscating. Thanks, JES -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:tx="http://www.springframework.org/schema/tx"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password This switch effectively will turn on clearpass. <property name="authenticationMetaDataPopulators"> <list> <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"> <constructor-arg index="0" ref="credentialsCache" /> </bean> </list> </property> --> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <!-- The Principal resolver form the credentials --> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> </property> <!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal --> <property name="filter" value="(mail=%u)" /> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="mail" /> <property name="searchBase" value="dc=test,dc=com" /> <property name="contextSource" ref="contextSource" /> <property name="attributeRepository"> <ref bean="attributeRepository" /> </property> </bean> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="mail=%u" p:searchBase="dc=test,dc=com" p:contextSource-ref="contextSource" /> </list> </property> </bean> <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <!-- DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. --> <property name="pooled" value="false"/> <property name="url" value="ldap://localhost"; /> <property name="userDn" value="cn=manager"/> <property name="password" value="pasword"/> <!-- Place JNDI environment properties here. --> <property name="baseEnvironmentProperties"> <map> <!-- Three seconds is an eternity to users. --> <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" /> <entry key="com.sun.jndi.ldap.read.timeout" value="3000" /> <!-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION --> <entry key="java.naming.security.authentication" value="simple" /> </map> </property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Spring Security to find it. --> <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />--> <sec:user-service id="userDetailsService"> <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="contextSource" ref="contextSource" /> <property name="baseDN" value="dc=test,dc=com" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="mail" /> </map> </property> <property name="resultAttributeMapping"> <map> <!-- Mapping beetween LDAP entry attributes (key) and Principal's (value) --> <entry value="Name" key="cn" /> <entry value="Mail" key="mail" /> </map> </property> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTPS Services" /> <property name="description" value="YOUR HTTP Service" /> <property name="serviceId" value="https://**"; /> <property name="evaluationOrder" value="0" /> <property name="allowedAttributes"> <list> <value>Name</value> <value>Mail</value> </list> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="0" /> <property name="name" value="HTTP and IMAP" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" /> <property name="serviceId" value="^(https?|imaps?)://.*" /> <property name="evaluationOrder" value="10000001" /> </bean> </list> </property> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor"> <property name="monitors"> <list> <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> <!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry * JpaTicketRegistry Remove this monitor if you use an unsupported registry. --> <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" /> </list> </property> </bean> </beans>
