I have a set of attributes that are based on Credentials (e.g. an internal LOA value based on the credential type, certificate used in X509 authentication) that I need to have expressed as attributes in the SAML 1.1 assertion generated by CAS. Using an AuthenticationMetadataPopulator approach won't work, since the SAML response won't look at the additional attributes, and I can't attach the attributes to the principal, since the Attributes map is immutable after resolvePrincipal() is run.
There are two approaches I'm considering to get around this: 1. Modify the SAML 1.1 response to add the additional authentication attributes to the AttributeStatement, perhaps excluding the authentication method since it appears elsewhere. 2. Build a PersonAttributeDao implementation to inject the attributes at resolvePrincipal time. The first approach, which is simpler to code, means patching or replacing the Saml10SuccessResponseView as opposed to subclassing it (yes I know why it's marked final <http://www.jasig.org/cas/public-api>). But if I were to do that, I would rather patch it. For the second approach, I'd use a MergingPersonAttributeDao with my current PersonAttributeDao and an AdditionalDescriptorsPersonAttributeDao, and then inject an session-scoped proxy AdditionalDescriptors bean into the CredentialToPrincipalResolvers. It's a bit more involved than the first one. And now, the big question: is there any reason why the attributes attached to the authentication can't be added to the SAML attribute statement? I already have an AuthenticationMetaDataPopulator that adds the attributes to the Authentication, and I concatenate the authentication and principal attributes (although I didn't think about all the implications) in my customized CAS response view. If I submit a Jira and patch for the first approach, would it be accepted? I'm leaning towards that approach at the moment, but I'd rather not go down that patch unless the patch could be added to stock CAS. Thanks, Rich -- *Richard J. Renomeron*, Project Lead *TCG* Yes, it *can* be done! Tel: (202) 742-8460 | Fax: (202) 986-5532 Google Talk: [email protected] | AIM: rrenomeronTCG OpenPGP Key ID 8CD7CFEB | www.tcg.com -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
