Anyone? Is there a perhaps a more useful way to frame my query?
Specifically, I'm trying to ensure that REMOTE_USER is set to the
actual username credential that was used to authenticate to CAS.
More generally, it would be useful to have a better understanding
of what gets mapped to REMOTE_USER and how to configure such.
Aloha,
-baron
On Wed, Nov 13, 2013 at 05:34:10PM -1000, Baron Fujimoto wrote:
>I'm trying to debug/resolve an issue we recently encountered.
>
>Our setup is as follows:
>
>- We authenticate Google Apps using SSO via the Shibboleth IdP. [1]
>- Our Shib IdP authenticates using CAS using RemoteUser. [2]
>- Our CAS authenticates against and obtains attributes from LDAP.
>
>The issue we've encountered is that we have a few users with more than one
>uid attribute in their LDAP entries (let's say their values are "u1" and
>"u2"). Google wants the principal to identify their user, and per the
>Shibboleth-CAS+Integration docs referenced below, appears to be getting
>it via REMOTE_USER. The problem is that when the user authenticates as u2,
>it looks like REMOTE_USER is being set to u1 instead of u2.
>
>I think this is the relevant(?) config snippet from
>deployerConfigContext.xml
>
><bean
>
> class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
> <!-- The Principal resolver form the credentials -->
> <property name="credentialsToPrincipalResolver">
> <bean
>
> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
> />
> </property>
>
> <!--
> The query made to find the Principal ID.
> "%u" will be replaced by the resolved Principal
> -->
> <property name="filter" value="(uid=%u)" />
>
> <!-- The attribute used to define the new Principal ID -->
> <property name="principalAttributeName" value="uid" />
> <property name="searchBase" value="${ldap.searchBase}" />
> <property name="contextSource" ref="contextSource" />
>
> <property name="attributeRepository">
> <ref bean="attributeRepository" />
> </property>
></bean>
>
>Is there a way keeping the the username/credential that was used to
>authenticate as the principal, or otherwise have that mapped to
>REMOTE_USER?
>
>Any help would be appreciated, even if it's just RTFM if you can point me
>to some appropriate FM.
>
>[1] <https://developers.google.com/google-apps/help/articles/shibboleth2.0>
>[2] <https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration>
>
>--
>Baron Fujimoto <[email protected]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>
>--
>You are currently subscribed to [email protected] as: [email protected]
>To unsubscribe, change settings or access archives, see
>http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Baron Fujimoto <[email protected]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
