I'm trying to debug/resolve an issue we recently encountered.
Our setup is as follows:
- We authenticate Google Apps using SSO via the Shibboleth IdP. [1]
- Our Shib IdP authenticates using CAS using RemoteUser. [2]
- Our CAS authenticates against and obtains attributes from LDAP.
The issue we've encountered is that we have a few users with more than one
uid attribute in their LDAP entries (let's say their values are "u1" and
"u2"). Google wants the principal to identify their user, and per the
Shibboleth-CAS+Integration docs referenced below, appears to be getting
it via REMOTE_USER. The problem is that when the user authenticates as u2,
it looks like REMOTE_USER is being set to u1 instead of u2.
I think this is the relevant(?) config snippet from
deployerConfigContext.xml
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<!-- The Principal resolver form the credentials -->
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<!--
The query made to find the Principal ID.
"%u" will be replaced by the resolved Principal
-->
<property name="filter" value="(uid=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="${ldap.searchBase}" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
Is there a way keeping the the username/credential that was used to
authenticate as the principal, or otherwise have that mapped to
REMOTE_USER?
Any help would be appreciated, even if it's just RTFM if you can point me
to some appropriate FM.
[1] <https://developers.google.com/google-apps/help/articles/shibboleth2.0>
[2] <https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration>
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
