OK, I got the attributes released but now I have one more question. We don’t have a need for the Services Manager, we only want to release attributes to one service. I added a RegexRegisteredService to the RegisteredServicesList and this new service has "ingnoreAttributes" set to "true" (releasing all attributes). I can see in the logs that when I test logging into this service, the SAML returned contains the attributes (we have to use SAML since the client isn't configurable to use the p3 endpoint).
The problem is that attributes are always returned to *all* services no matter what I attempt to use to restrict them. On the default RegisteredService, I have set "ignoreAttributes" to "false" and "allowedAttributes" to an empty list. I have set a filter to be an impossible regex that doesn't match any attributes. I've tried releasing only an innocuous attribute (the uid) which the client already gets and isn't a security concern. The logs even show where the uid is the only one that matches the filter, but the CAS server releases the other attributes anyway. Are there any examples of restricting all attributes by default, and only allowing one service to see the attributes? Thanks, Mark From: Mark McCoy Reply-To: "[email protected]<mailto:[email protected]>" Date: Friday, July 31, 2015 at 10:58 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: [cas-user] CAS 4 (Unicon overlay) with AD plus attributes OK, I found the solution. It was not obvious. After hunting through mailing list posts, I found that the instructions were on the documentation page for LDAP authentication all along (the section labeled "PrincipalResolver vs AuthenticationHandler"). Unfortunately, the instructions there to set the value-ref on the ldap auth handler to "#{null}" don't work. When I do that, I get an error: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'null' is defined I found an alternative way to do this in another mailing list post. Commenting out the existing <constructor-arg><map></map><entry/></constructor-arg> section, this works as long as there is only one handler needed: <constructor-arg index="0"> <list value-type="org.jasig.cas.authentication.AuthenticationHandler" > <ref local="ldapAuthenticationHandler"/> </list> </constructor-arg> Luckily, we don't need to use proxy auth and we have a single authentication handler, so we can use this. I can now see the attributes available for release: 2015-07-31 09:47:06,884 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Attribute map for abc123: {uid=abc123, [email protected]<mailto:[email protected]>, displayName=Mark McCoy, employeeID=XXXXXXXX} Next up is figuring out the release policy. Thanks, Mark -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
