Rich, I'd like to encourage to open a JIRA for this issue and bring the discussion to the cas-dev list.
Best, Bill On Thu, Sep 12, 2013 at 12:10 PM, Rich Renomeron - TCG <[email protected]> wrote: > I have a set of attributes that are based on Credentials (e.g. an internal > LOA value based on the credential type, certificate used in X509 > authentication) that I need to have expressed as attributes in the SAML 1.1 > assertion generated by CAS. Using an AuthenticationMetadataPopulator > approach won't work, since the SAML response won't look at the additional > attributes, and I can't attach the attributes to the principal, since the > Attributes map is immutable after resolvePrincipal() is run. > > There are two approaches I'm considering to get around this: > > Modify the SAML 1.1 response to add the additional authentication attributes > to the AttributeStatement, perhaps excluding the authentication method since > it appears elsewhere. > Build a PersonAttributeDao implementation to inject the attributes at > resolvePrincipal time. > > The first approach, which is simpler to code, means patching or replacing > the Saml10SuccessResponseView as opposed to subclassing it (yes I know why > it's marked final). But if I were to do that, I would rather patch it. > > For the second approach, I'd use a MergingPersonAttributeDao with my current > PersonAttributeDao and an AdditionalDescriptorsPersonAttributeDao, and then > inject an session-scoped proxy AdditionalDescriptors bean into the > CredentialToPrincipalResolvers. It's a bit more involved than the first > one. > > And now, the big question: is there any reason why the attributes attached > to the authentication can't be added to the SAML attribute statement? I > already have an AuthenticationMetaDataPopulator that adds the attributes to > the Authentication, and I concatenate the authentication and principal > attributes (although I didn't think about all the implications) in my > customized CAS response view. If I submit a Jira and patch for the first > approach, would it be accepted? I'm leaning towards that approach at the > moment, but I'd rather not go down that patch unless the patch could be > added to stock CAS. > > Thanks, > Rich > > -- > Richard J. Renomeron, Project Lead > TCG > Yes, it can be done! > Tel: (202) 742-8460 | Fax: (202) 986-5532 > Google Talk: [email protected] | AIM: rrenomeronTCG > OpenPGP Key ID 8CD7CFEB | www.tcg.com > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
