Re: [cas-user] User Attributes for SAML 2.0
David,
I really want to thank for helping me on this.
I've finally managed to retrieve a multiple value attribute, just like
you've said the responsible to release attributes for CAS is the
Authentication Handler. In my case Active Directory. So, what i've done was
create a custom attribute "awsRoles" on Active Directory that supports
multiple values. Then i configured CAS to release the attribute and used my
json like this:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "urn:amazon:webservices",
"name" : "AWS",
"id" : 1003,
"description" : "SSO AWS",
"signAssertions" : true,
"signResponses" : true,
"metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"awsRoles" : "https://aws.amazon.com/SAML/Attributes/Role;,
"extensionAttribute2" :
"https://aws.amazon.com/SAML/Attributes/RoleSessionName;,
"extensionAttribute3": "SessionDuration"
}
},
"evaluationOrder" : 1125
}
Here is my SAML Response after auth.
https://aws.amazon.com/SAML/Attributes/Role;
Name="https://aws.amazon.com/SAML/Attributes/Role;
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
arn:aws:iam::account-id:role/role-name,arn:aws:iam::account-id:saml-provider/idp_name
arn:aws:iam::account-id:role/role_name,arn:aws:iam::account-id:saml-provider/idp_name
I'm sorry to bother you on this but thanks for you for help showing me the
way.
Have a nice weekend
Willian
Em sexta-feira, 16 de novembro de 2018 17:57:40 UTC-2, David Curry escreveu:
>
> Well, I also said we don't do that here, so I don't actually know how to
> do it, just that I think you can. :-)
>
> But seriously, I believe it depends on what you're using for an attribute
> repository. And I'm not sure whether it's going to give you what you want:
>
> https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM AttributeValue> ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>
>
> or if it's going to give you something more like
>
> https://aws.amazon.com/SAML/Attributes/Role
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
> ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>
>
>
> You might have to write a custom resolver or something (I'm not the one to
> help you with that).
>
> Maybe someone else could weigh in here and give William some better
> information?
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu
>
>
> On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales > wrote:
>
>> David,
>>
>> What i want is to log in into multiple AWS Accounts using SAML2. I've
>> managed to log into only one account. But to log in into multiple accounts
>> you have to send the response like this:
>>
>> https://aws.amazon.com/SAML/Attributes/Role
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM> AttributeValue> ACCOUNT2_
>> AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM > >ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>>
>> Right now i'm sending only one value in the attributevalue like this
>>
>> https://aws.amazon.com/SAML/Attributes/Role
>> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
>> ">
>> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM> AttributeValue>
>>
>> I need to send multiple values so i can choose what account i want to log
>> in. You said that there's a way to return a multi-value attribute, can you
>> show me how to return multi-value attribute?
>>
>> Thank You!
&
Re: [cas-user] User Attributes for SAML 2.0
David,
What i want is to log in into multiple AWS Accounts using SAML2. I've
managed to log into only one account. But to log in into multiple accounts
you have to send the response like this:
https://aws.amazon.com/SAML/Attributes/Role
<https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM
ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
Right now i'm sending only one value in the attributevalue like this
https://aws.amazon.com/SAML/Attributes/Role
<https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM
I need to send multiple values so i can choose what account i want to log
in. You said that there's a way to return a multi-value attribute, can you
show me how to return multi-value attribute?
Thank You!
Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry escreveu:
>
> The "ReturnMappedAttributeReleasePolicy" is not a method for returning
> attribute values, it's a method for changing the name of an attribute when
> you release it.
>
> For example, suppose you have an application that wants you to give it an
> attribute called "LastName". But your Active Directory, of course, keeps
> the last name in an attribute called "sn". So, in the service registry for
> that service, you would specify something like this:
>
> ...
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "sn" : "LastName",
>
> "givenName" : "givenName",
>
> "cn" : "cn",
> }
> },
> ...
>
>
> This says you're going to get the values of the cn, givenName, and sn
> values from your attribute repository (Active Directory or whatever), and
> send them over to the client. BUT, when you do that, you're going to call
> them cn, givenName, and LastName instead. So for me, the client might get
> something like:
>
> cn=curryd, givenName=David, LastName=Curry
>
>
> (in whatever format the protocol it's speaking with the CAS server
> provides that information).
>
> So what you're specifying there, is that you're going to send four
> attributes back to AWS: description, extenstionAttribute1,
> extensionAttribute2, and extensionAttribute3. But when you send them back,
> you're going to call them by those 3 URLs and "SessionDuration". So AWS is
> going to get something like:
>
> https://aws.amazon.com/SAML/Attributes/Role=,
> https://aws.amazon.com/SAML/Attributes/Role=
> <https://www.google.com/url?q=https%3A%2F%2Faws.amazon.com%2FSAML%2FAttributes%2FRole%3D=D=1=AFQjCNGNCbWrdzuCLVKEluOSm_cZNeK0yg>
> value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName= value>,SessionDuration=
>
>
> (again, in whatever format the protocol CAS is speaking with AWS
> specifies) which, I presume, is not what you want. :-)
>
> I believe there is a way to release the same attribute value with more
> than one name, but I don't use it myself, so I don't know the details of
> what version that functionality was added in, or how it's actually
> configured.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu
>
>
> On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales > wrote:
>
>> David,
>>
>> I'm using Json Service Registry.
>> You're telling me that the responsible for multi-value attributes is not
>> the service registry but the repository 'im using? (In my case Active
>> Directory).
>>
>> So, let me show you the example i'm using.
>>
>> I need to map a multi-value attribute for the attribute "
>> https://aws.amazon.com/SAML/Attributes/Role;
>>
>> Here an example of my JSON.
>>
>> {
>> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>> "serviceId" : "urn:amazon:webservices",
>> "name" : "AWS",
>> "id" : 1003,
>> "description" : "CAS AWS",
>> "signAssertions" : true,
>> "signResponses" : true,
>> "metadat
Re: [cas-user] User Attributes for SAML 2.0
David,
I'm using Json Service Registry.
You're telling me that the responsible for multi-value attributes is not
the service registry but the repository 'im using? (In my case Active
Directory).
So, let me show you the example i'm using.
I need to map a multi-value attribute for the attribute "
https://aws.amazon.com/SAML/Attributes/Role;
Here an example of my JSON.
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "urn:amazon:webservices",
"name" : "AWS",
"id" : 1003,
"description" : "CAS AWS",
"signAssertions" : true,
"signResponses" : true,
"metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"description" : "https://aws.amazon.com/SAML/Attributes/Role;,
"extensionAttribute1" : "https://aws.amazon.com/SAML/Attributes/Role;,
"extensionAttribute2" :
"https://aws.amazon.com/SAML/Attributes/RoleSessionName;,
"extensionAttribute3" : "SessionDuration"
}
},
"evaluationOrder" : 1125
}
What i need is to use the values of "description" and "extensionAttribute1"
in the same attribute, in this case
"https://aws.amazon.com/SAML/Attributes/Role;
I've try to use the attribute Repository but still returns only one value
Here's my .prop file:
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=will...@shoracius.com.br
cas.authn.ldap[0].bindCredential=Teste@123
cas.authn.ldap[0].dnFormat=%s...@shoracius.com.br
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=unicodePwd
cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
cas.authn.ldap[0].failFast=false
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.attributeRepository.ldap[0].bindDn=will...@shoracius.com.br
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].name=AD
cas.authn.attributeRepository.expirationTime=30
cas.authn.attributeRepository.expirationTimeUnit=MINUTES
cas.authn.attributeRepository.maximumCacheSize=1
cas.authn.attributeRepository.merger=MERGE
cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
# cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
# cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
Can you help me on this quest.?
I'm from Brazil, so i'm sorry for my English or anything.
Thanks in advice and i've appreciate your help.
Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry escreveu:
>
> Since I'm the only "David" I see in this thread I assume you're asking
> me... but I'm not sure I understand the question. Where are you putting the
> JSON that you're expecting CAS to consume it and then spit it out in a SAML
> response?
>
> Normally, CAS will get the attributes from whatever repositories you
> configure it to use, and take care of putting them into the response
> itself; you don't have to specify any JSON. As far as I know, multi-valued
> attributes should work just fine with that.
>
> The JSON I provided back earlier in this thread was in a service registry
> definition to show how to rename attributes, not provide their values.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu
>
>
> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales > wrote:
>
>> Hi David!
>>
>> i'm praying that you see my question now because i really need your help.
>> I want to thank you because you really helped me showing the .json
>> configurattion.
>> But i need some
Re: [cas-user] User Attributes for SAML 2.0
Hi David!
i'm praying that you see my question now because i really need your help.
I want to thank you because you really helped me showing the .json
configurattion.
But i need some help on this.
How do i manage to do a multi value attribute on json.
I need the SAML response to be like this
1 <
AttributeValue>2 3
Can you help me on this man?
Regards
Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>
>
>
> Here's a JSON definition for an Apache HTTPD with the Shibboleth
> mod_shib/shibd plug-in:
>
> {
> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
> "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;,
> "name" : "Apache Secured By SAML",
> "id" : 1509030300,
> "description" : "CAS development Apache mod_shib/shibd server with
> username/password protection",
> "metadataLocation" : "
> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata;,
> "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
> "@class" : "java.util.TreeMap",
> "cn" : "urn:oid:2.5.4.3",
> "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
> "givenName" : "urn:oid:2.5.4.42",
> "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
> "role" : "urn:newschool:attribute-def:role",
> "sn" : "urn:oid:2.5.4.4",
> "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
> "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
> }
> },
> "evaluationOrder" : 1125
> }
>
> But if your SP doesn't care about the funky notation, you can just do it
> the "regular" way... here's a definition for a test SP created via RSA's
> free IAMShowcase site (this is a cut-down copy of the entire registry entry
> to show the part you're interested in):
>
> {
> "serviceId": "IAMShowcase",
> "name": "RSA SAML Test Service Provider",
> "theme": null,
> "informationUrl": null,
> "privacyUrl": null,
> "id": 1202469081,
> "description": "The URL for the SP that talks to this service is
> https://sptest.iamshowcase.com/ixs?idp=",
> "evaluationOrder": -1,
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "displayName",
> "givenName",
> "sn",
> "uid"
> ]
> }
> }
>
>
> --Dave
>
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Wed, May 16, 2018 at 9:07 AM, John D Giotta > wrote:
>
>> Do you have an example of this?
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org
>>
>>
>> .
>>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org.
