Re: [cas-user] User Attributes for SAML 2.0

[Willian Gonzales]

David,

I really want to thank for helping me on this.
I've finally managed to retrieve a multiple value attribute, just like 
you've said the responsible to release attributes for CAS is the 
Authentication Handler. In my case Active Directory. So, what i've done was 
create a custom attribute "awsRoles" on Active Directory that supports 
multiple values. Then i configured CAS to release the attribute and used my 
json like this:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "urn:amazon:webservices",
  "name" : "AWS",
  "id" : 1003,
  "description" : "SSO AWS",
  "signAssertions" : true,
  "signResponses" : true,
  "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "awsRoles" : "https://aws.amazon.com/SAML/Attributes/Role";,
  "extensionAttribute2" : 
"https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
  "extensionAttribute3": "SessionDuration"
}
  },
  "evaluationOrder" : 1125
}

Here is my SAML Response after auth.

https://aws.amazon.com/SAML/Attributes/Role"; 
Name="https://aws.amazon.com/SAML/Attributes/Role"; 
NameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">

arn:aws:iam::account-id:role/role-name,arn:aws:iam::account-id:saml-provider/idp_name

arn:aws:iam::account-id:role/role_name,arn:aws:iam::account-id:saml-provider/idp_name


I'm sorry to bother you on this but thanks for you for help showing me the 
way.

Have a nice weekend

Willian

Em sexta-feira, 16 de novembro de 2018 17:57:40 UTC-2, David Curry escreveu:
>
> Well, I also said we don't do that here, so I don't actually know how to 
> do it, just that I think you can. :-)
>
> But seriously, I believe it depends on what you're using for an attribute 
> repository. And I'm not sure whether it's going to give you what you want:
>
> https://aws.amazon.com/SAML/Attributes/Role 
> 
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM AttributeValue> ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>  
>
> or if it's going to give you something more like
>
> https://aws.amazon.com/SAML/Attributes/Role 
> 
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
> ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
> 
> 
>
> You might have to write a custom resolver or something (I'm not the one to 
> help you with that).
>
> Maybe someone else could weigh in here and give William some better 
> information?
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales  > wrote:
>
>> David,
>>
>> What i want is to log in into multiple AWS Accounts using SAML2. I've 
>> managed to log into only one account. But to log in into multiple accounts 
>> you have to send the response like this:
>>
>> https://aws.amazon.com/SAML/Attributes/Role 
>> 
>> ">
>> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM> AttributeValue> ACCOUNT2_
>> AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM > >ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM 
>>
>> Right now i'm sending only one value in the attributevalue like this 
>>
>> https://aws.amazon.com/SAML/Attributes/Role 
>> 
>> ">
>> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM> AttributeValue> 
>>
>> I need to send multiple values so i can choose what account i want to log 
>> in. You said that there's a way to return a multi-value attribute,  can you 
>> show me how to return multi-value attribute?
>>
>> Thank You!
>>
>>
>>
>>
>> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry 
>> escreveu:
>>>
>>> The "ReturnMappedAttributeReleasePolicy" is not a method for returning 
>>> attribute values, it's a method for changing the name of an attribute when 
>>> you release it.
>>>
>>> For example, suppose you have an application that wants you to give it 
>>> an attribute called "LastName". But your Active Directory, of course, keeps 
>>> the last name in an attribute called "sn". So, in the service registry for 
>>> that service, you would specify something like this:
>>>
>>> ...
>>>  "attributeRelease

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Well, I also said we don't do that here, so I don't actually know how to do
it, just that I think you can. :-)

But seriously, I believe it depends on what you're using for an attribute
repository. And I'm not sure whether it's going to give you what you want:

https://aws.amazon.com/SAML/Attributes/Role

">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM
ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM


or if it's going to give you something more like

https://aws.amazon.com/SAML/Attributes/Role

">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM,
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM,ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM



You might have to write a custom resolver or something (I'm not the one to
help you with that).

Maybe someone else could weigh in here and give William some better
information?

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Nov 16, 2018 at 12:10 PM Willian Gonzales 
wrote:

> David,
>
> What i want is to log in into multiple AWS Accounts using SAML2. I've
> managed to log into only one account. But to log in into multiple accounts
> you have to send the response like this:
>
> https://aws.amazon.com/SAML/Attributes/Role
> 
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM AttributeValue> ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM
>  
>
> Right now i'm sending only one value in the attributevalue like this
>
> https://aws.amazon.com/SAML/Attributes/Role
> 
> ">
> ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM > 
>
> I need to send multiple values so i can choose what account i want to log
> in. You said that there's a way to return a multi-value attribute,  can you
> show me how to return multi-value attribute?
>
> Thank You!
>
>
>
>
> Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry
> escreveu:
>>
>> The "ReturnMappedAttributeReleasePolicy" is not a method for returning
>> attribute values, it's a method for changing the name of an attribute when
>> you release it.
>>
>> For example, suppose you have an application that wants you to give it an
>> attribute called "LastName". But your Active Directory, of course, keeps
>> the last name in an attribute called "sn". So, in the service registry for
>> that service, you would specify something like this:
>>
>> ...
>>  "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "sn" : "LastName",
>>
>>   "givenName" : "givenName",
>>
>>   "cn" : "cn",
>> }
>>   },
>> ...
>>
>>
>> This says you're going to get the values of the cn, givenName, and sn
>> values from your attribute repository (Active Directory or whatever), and
>> send them over to the client. BUT, when you do that, you're going to call
>> them cn, givenName, and LastName instead. So for me, the client might get
>> something like:
>>
>> cn=curryd, givenName=David, LastName=Curry
>>
>>
>> (in whatever format the protocol it's speaking with the CAS server
>> provides that information).
>>
>> So what you're specifying there, is that you're going to send four
>> attributes back to AWS: description, extenstionAttribute1,
>> extensionAttribute2, and extensionAttribute3. But when you send them back,
>> you're going to call them by those 3 URLs and "SessionDuration". So AWS is
>> going to get something like:
>>
>> https://aws.amazon.com/SAML/Attributes/Role=,
>> https://aws.amazon.com/SAML/Attributes/Role=
>> > value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName=> value>,SessionDuration=
>>
>>
>> (again, in whatever format the protocol CAS is speaking with AWS
>> specifies) which, I presume, is not what you want. :-)
>>
>> I believe there is a way to release the same attribute value with more
>> than one name, but I don't use it myself, so I don't know the details of
>> what version that functionality was added in, or how it's actually
>> configured.
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71

Re: [cas-user] User Attributes for SAML 2.0

[Willian Gonzales]

David,

What i want is to log in into multiple AWS Accounts using SAML2. I've 
managed to log into only one account. But to log in into multiple accounts 
you have to send the response like this:

https://aws.amazon.com/SAML/Attributes/Role 

">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM 
ACCOUNT2_AWS_SSO_ROLE,ACCOUNT2_AWS_SSO_IAM 
ACCOUNT3_AWS_SSO_ROLE,ACCOUNT3_AWS_SSO_IAM 


Right now i'm sending only one value in the attributevalue like this 

https://aws.amazon.com/SAML/Attributes/Role 

">
ACCOUNT1_AWS_SSO_ROLE,ACCOUNT1_AWS_SSO_IAM 


I need to send multiple values so i can choose what account i want to log 
in. You said that there's a way to return a multi-value attribute,  can you 
show me how to return multi-value attribute?

Thank You!




Em sexta-feira, 16 de novembro de 2018 14:39:26 UTC-2, David Curry escreveu:
>
> The "ReturnMappedAttributeReleasePolicy" is not a method for returning 
> attribute values, it's a method for changing the name of an attribute when 
> you release it.
>
> For example, suppose you have an application that wants you to give it an 
> attribute called "LastName". But your Active Directory, of course, keeps 
> the last name in an attribute called "sn". So, in the service registry for 
> that service, you would specify something like this:
>
> ...
>  "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "sn" : "LastName",
>
>   "givenName" : "givenName",
>
>   "cn" : "cn",
> }
>   },
> ...  
>
>
> This says you're going to get the values of the cn, givenName, and sn 
> values from your attribute repository (Active Directory or whatever), and 
> send them over to the client. BUT, when you do that, you're going to call 
> them cn, givenName, and LastName instead. So for me, the client might get 
> something like:
>
> cn=curryd, givenName=David, LastName=Curry
>
>
> (in whatever format the protocol it's speaking with the CAS server 
> provides that information).
>
> So what you're specifying there, is that you're going to send four 
> attributes back to AWS: description, extenstionAttribute1, 
> extensionAttribute2, and extensionAttribute3. But when you send them back, 
> you're going to call them by those 3 URLs and "SessionDuration". So AWS is 
> going to get something like:
>
> https://aws.amazon.com/SAML/Attributes/Role=,
> https://aws.amazon.com/SAML/Attributes/Role= 
>   
> value>,https://aws.amazon.com/SAML/Attributes/RoleSessionName= value>,SessionDuration=
>
>
> (again, in whatever format the protocol CAS is speaking with AWS 
> specifies) which, I presume, is not what you want. :-)
>
> I believe there is a way to release the same attribute value with more 
> than one name, but I don't use it myself, so I don't know the details of 
> what version that functionality was added in, or how it's actually 
> configured.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales  > wrote:
>
>> David,
>>
>> I'm using Json Service Registry.
>> You're telling me that the responsible for multi-value attributes is not 
>> the service registry but the repository 'im using? (In my case Active 
>> Directory).
>>
>> So, let me show you the example i'm using.
>>
>> I need to map a multi-value attribute for the attribute "
>> https://aws.amazon.com/SAML/Attributes/Role";
>>
>> Here an example of my JSON.
>>
>> {
>>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>   "serviceId" : "urn:amazon:webservices",
>>   "name" : "AWS",
>>   "id" : 1003,
>>   "description" : "CAS AWS",
>>   "signAssertions" : true,
>>   "signResponses" : true,
>>   "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
>>   "attributeReleasePolicy" : {
>> "@class" : 
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
>>   "extensionAttribute1" : "
>> https://aws.amazon.com/SAML/Attributes/Role";,
>>   "extensionAttribute2" : "
>> https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
>>   "extensionAttribute3" : "SessionDuration"
>> }
>>   },
>>   "evaluationOrder" : 1125
>> }
>>
>>
>> What i need is to use the values of "descriptio

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

The "ReturnMappedAttributeReleasePolicy" is not a method for returning
attribute values, it's a method for changing the name of an attribute when
you release it.

For example, suppose you have an application that wants you to give it an
attribute called "LastName". But your Active Directory, of course, keeps
the last name in an attribute called "sn". So, in the service registry for
that service, you would specify something like this:

...
 "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "sn" : "LastName",

  "givenName" : "givenName",

  "cn" : "cn",
}
  },
...


This says you're going to get the values of the cn, givenName, and sn
values from your attribute repository (Active Directory or whatever), and
send them over to the client. BUT, when you do that, you're going to call
them cn, givenName, and LastName instead. So for me, the client might get
something like:

cn=curryd, givenName=David, LastName=Curry


(in whatever format the protocol it's speaking with the CAS server provides
that information).

So what you're specifying there, is that you're going to send four
attributes back to AWS: description, extenstionAttribute1,
extensionAttribute2, and extensionAttribute3. But when you send them back,
you're going to call them by those 3 URLs and "SessionDuration". So AWS is
going to get something like:

https://aws.amazon.com/SAML/Attributes/Role=,
https://aws.amazon.com/SAML/Attributes/Role=,
https://aws.amazon.com/SAML/Attributes/RoleSessionName=,SessionDuration=


(again, in whatever format the protocol CAS is speaking with AWS specifies)
which, I presume, is not what you want. :-)

I believe there is a way to release the same attribute value with more than
one name, but I don't use it myself, so I don't know the details of what
version that functionality was added in, or how it's actually configured.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Nov 16, 2018 at 11:01 AM Willian Gonzales 
wrote:

> David,
>
> I'm using Json Service Registry.
> You're telling me that the responsible for multi-value attributes is not
> the service registry but the repository 'im using? (In my case Active
> Directory).
>
> So, let me show you the example i'm using.
>
> I need to map a multi-value attribute for the attribute "
> https://aws.amazon.com/SAML/Attributes/Role";
>
> Here an example of my JSON.
>
> {
>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>   "serviceId" : "urn:amazon:webservices",
>   "name" : "AWS",
>   "id" : 1003,
>   "description" : "CAS AWS",
>   "signAssertions" : true,
>   "signResponses" : true,
>   "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
>   "attributeReleasePolicy" : {
> "@class" :
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
>   "extensionAttribute1" : "https://aws.amazon.com/SAML/Attributes/Role
> ",
>   "extensionAttribute2" : "
> https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
>   "extensionAttribute3" : "SessionDuration"
> }
>   },
>   "evaluationOrder" : 1125
> }
>
>
> What i need is to use the values of "description" and
> "extensionAttribute1" in the same attribute, in this case "
> https://aws.amazon.com/SAML/Attributes/Role";
>
> I've try to use the attribute Repository but still returns only one value
>
> Here's my .prop file:
>
> cas.authn.ldap[0].type=AD
> cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=sAMAccountName={user}
> cas.authn.ldap[0].bindDn=will...@shoracius.com.br
> cas.authn.ldap[0].bindCredential=Teste@123
> cas.authn.ldap[0].dnFormat=%s...@shoracius.com.br
> cas.authn.ldap[0].principalAttributeId=sAMAccountName
> cas.authn.ldap[0].principalAttributePassword=unicodePwd
>
> cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
> cas.authn.ldap[0].failFast=false
> cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
> cas.authn.attributeRepository.ldap[0].bindDn=will...@shoracius.com.br
> cas.authn.attributeRepository.ldap[0].bindCredential=
> cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
>
> cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.attributeRepository.ldap[0].useSsl=false
> ca

Re: [cas-user] User Attributes for SAML 2.0

[Willian Gonzales]

David,

I'm using Json Service Registry.
You're telling me that the responsible for multi-value attributes is not 
the service registry but the repository 'im using? (In my case Active 
Directory).

So, let me show you the example i'm using.

I need to map a multi-value attribute for the attribute "
https://aws.amazon.com/SAML/Attributes/Role";

Here an example of my JSON.

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "urn:amazon:webservices",
  "name" : "AWS",
  "id" : 1003,
  "description" : "CAS AWS",
  "signAssertions" : true,
  "signResponses" : true,
  "metadataLocation" : "file:/etc/cas/saml/sp-aws.xml",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "description" : "https://aws.amazon.com/SAML/Attributes/Role";,
  "extensionAttribute1" : "https://aws.amazon.com/SAML/Attributes/Role";,
  "extensionAttribute2" : 
"https://aws.amazon.com/SAML/Attributes/RoleSessionName";,
  "extensionAttribute3" : "SessionDuration"
}
  },
  "evaluationOrder" : 1125
}


What i need is to use the values of "description" and "extensionAttribute1" 
in the same attribute, in this case 
"https://aws.amazon.com/SAML/Attributes/Role";

I've try to use the attribute Repository but still returns only one value

Here's my .prop file:

cas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Usuarios HORACIUS,DC=shoracius,DC=com,DC=br
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=will...@shoracius.com.br
cas.authn.ldap[0].bindCredential=Teste@123
cas.authn.ldap[0].dnFormat=%s...@shoracius.com.br
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributePassword=unicodePwd
cas.authn.ldap[0].principalAttributeList=givenName,sn,mail,displayName,description,extensionAttribute1,extensionAttribute2,extensionAttribute3
cas.authn.ldap[0].failFast=false
cas.authn.attributeRepository.ldap[0].ldapUrl=ldap://192.168.12.22:389/
cas.authn.attributeRepository.ldap[0].bindDn=will...@shoracius.com.br
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].poolPassivator=BIND
cas.authn.attributeRepository.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.attributeRepository.ldap[0].useSsl=false
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].name=AD
cas.authn.attributeRepository.expirationTime=30
cas.authn.attributeRepository.expirationTimeUnit=MINUTES
cas.authn.attributeRepository.maximumCacheSize=1
cas.authn.attributeRepository.merger=MERGE
cas.authn.attributeRepository.ldap[0].attributes.description=extensionAttribute1
# cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
# cas.authn.attributeRepository.ldap[0].attributes.cn=commonName 

Can you help me on this quest.?

I'm from Brazil, so i'm sorry for my English or anything.

Thanks in advice and i've appreciate your help.


Em sexta-feira, 16 de novembro de 2018 13:26:22 UTC-2, David Curry escreveu:
>
> Since I'm the only "David" I see in this thread I assume you're asking 
> me... but I'm not sure I understand the question. Where are you putting the 
> JSON that you're expecting CAS to consume it and then spit it out in a SAML 
> response?
>
> Normally, CAS will get the attributes from whatever repositories you 
> configure it to use, and take care of putting them into the response 
> itself; you don't have to specify any JSON. As far as I know, multi-valued 
> attributes should work just fine with that.
>
> The JSON I provided back earlier in this thread was in a service registry 
> definition to show how to rename attributes, not provide their values.
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david...@newschool.edu 
>
>
> On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales  > wrote:
>
>> Hi David!
>>
>> i'm praying that you see my question now because i really need your help.
>> I want to thank you because you really helped me showing the .json 
>> configurattion.
>> But i need some help on this.
>>
>> How do i manage to do a multi value attribute on json.
>> I need the SAML response to be like this
>>
>>  1 <
>> AttributeValue>2 3 > Attribute>
>>
>> Can you help me on this man?
>>
>> Regards
>>
>> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>>
>>>
>>>
>>> Here's a JSON definition for an Apache HTTPD with the Shibboleth 
>>> mod_shib/shibd plug-in:
>>>
>>> {
>>>   "@class" : 
>>> "org.apereo.cas.support.saml.services.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Since I'm the only "David" I see in this thread I assume you're asking
me... but I'm not sure I understand the question. Where are you putting the
JSON that you're expecting CAS to consume it and then spit it out in a SAML
response?

Normally, CAS will get the attributes from whatever repositories you
configure it to use, and take care of putting them into the response
itself; you don't have to specify any JSON. As far as I know, multi-valued
attributes should work just fine with that.

The JSON I provided back earlier in this thread was in a service registry
definition to show how to rename attributes, not provide their values.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu


On Fri, Nov 16, 2018 at 10:08 AM Willian Gonzales 
wrote:

> Hi David!
>
> i'm praying that you see my question now because i really need your help.
> I want to thank you because you really helped me showing the .json
> configurattion.
> But i need some help on this.
>
> How do i manage to do a multi value attribute on json.
> I need the SAML response to be like this
>
>  1 <
> AttributeValue>2 3  Attribute>
>
> Can you help me on this man?
>
> Regards
>
> Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>>
>>
>>
>> Here's a JSON definition for an Apache HTTPD with the Shibboleth
>> mod_shib/shibd plug-in:
>>
>> {
>>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>   "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
>>   "name" : "Apache Secured By SAML",
>>   "id" : 1509030300,
>>   "description" : "CAS development Apache mod_shib/shibd server with
>> username/password protection",
>>   "metadataLocation" : "
>> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
>>   "attributeReleasePolicy" : {
>> "@class" :
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "cn" : "urn:oid:2.5.4.3",
>>   "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>>   "givenName" : "urn:oid:2.5.4.42",
>>   "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>>   "role" : "urn:newschool:attribute-def:role",
>>   "sn" : "urn:oid:2.5.4.4",
>>   "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>>   "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
>> }
>>   },
>>   "evaluationOrder" : 1125
>> }
>>
>> But if your SP doesn't care about the funky notation, you can just do it
>> the "regular" way... here's a definition for a test SP created via RSA's
>> free IAMShowcase site (this is a cut-down copy of the entire registry entry
>> to show the part you're interested in):
>>
>> {
>> "serviceId": "IAMShowcase",
>> "name": "RSA SAML Test Service Provider",
>> "theme": null,
>> "informationUrl": null,
>> "privacyUrl": null,
>> "id": 1202469081,
>> "description": "The URL for the SP that talks to this service is
>> https://sptest.iamshowcase.com/ixs?idp=",
>> "evaluationOrder": -1,
>> "attributeReleasePolicy": {
>> "@class":
>> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "allowedAttributes": [
>> "displayName",
>> "givenName",
>> "sn",
>> "uid"
>> ]
>> }
>> }
>>
>>
>> --Dave
>>
>>
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Wed, May 16, 2018 at 9:07 AM, John D Giotta  wrote:
>>
>>> Do you have an example of this?
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the

Re: [cas-user] User Attributes for SAML 2.0

[Willian Gonzales]

Hi David!

i'm praying that you see my question now because i really need your help.
I want to thank you because you really helped me showing the .json 
configurattion.
But i need some help on this.

How do i manage to do a multi value attribute on json.
I need the SAML response to be like this

 1 <
AttributeValue>2 3 

Can you help me on this man?

Regards

Em quarta-feira, 16 de maio de 2018 11:49:10 UTC-3, David Curry escreveu:
>
>
>
> Here's a JSON definition for an Apache HTTPD with the Shibboleth 
> mod_shib/shibd plug-in:
>
> {
>   "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
>   "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
>   "name" : "Apache Secured By SAML",
>   "id" : 1509030300,
>   "description" : "CAS development Apache mod_shib/shibd server with 
> username/password protection",
>   "metadataLocation" : "
> https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
>   "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "cn" : "urn:oid:2.5.4.3",
>   "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
>   "givenName" : "urn:oid:2.5.4.42",
>   "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
>   "role" : "urn:newschool:attribute-def:role",
>   "sn" : "urn:oid:2.5.4.4",
>   "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
>   "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
> }
>   },
>   "evaluationOrder" : 1125
> }
>
> But if your SP doesn't care about the funky notation, you can just do it 
> the "regular" way... here's a definition for a test SP created via RSA's 
> free IAMShowcase site (this is a cut-down copy of the entire registry entry 
> to show the part you're interested in):
>
> {
> "serviceId": "IAMShowcase",
> "name": "RSA SAML Test Service Provider",
> "theme": null,
> "informationUrl": null,
> "privacyUrl": null,
> "id": 1202469081,
> "description": "The URL for the SP that talks to this service is 
> https://sptest.iamshowcase.com/ixs?idp=",
> "evaluationOrder": -1,
> "attributeReleasePolicy": {
> "@class": 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "displayName",
> "givenName",
> "sn",
> "uid"
> ]
> }
> }
>
>
> --Dave
>
>
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
> On Wed, May 16, 2018 at 9:07 AM, John D Giotta  > wrote:
>
>> Do you have an example of this?
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b357bdfc-3d90-471a-88df-fb1507cd59fb%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

You should probably start by reading the CAS SAML documentation:

https://apereo.github.io/cas/development/installation/Configuring-SAML2-Authentication.html

And then you can look at, for example, the instructions here:

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

for a step-by-step example of how to enable SAML IdP support on the CAS
server, and build a simple test client (SP).

Note that both of the above assume that you already understand the basics
of how SAML authentication works. Not the protocol details, but at least
who talks to whom, and which provider performs which functions.

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Mon, May 28, 2018 at 7:44 AM sai ram  wrote:

> Presently, we are using CAS as an Identity Provider but now we want to
> use SAML2.0 as an Identity provider instead of CAS server. As I'm new to
> CAS, can anyone help me out the steps that I need to follow? and I have
> some queries like, Do we need to configure the SAML Request & Response
> externally?
> Hw can we register the Identity provider with the Service Provider & vice
> versa?
> For suppose, if I use LDAP as users directory. Hw & with whom( IDP/SP ) I
> need to register LDAP?
>
>
>
> Thanks & Regards,
> A SAIRAM
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMnAkzi-CfvSVN4n2sDqTWV29-nDOTHv93hr_cBeCcrJg%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[sai ram]

Presently, we are using CAS as an Identity Provider but now we want to use
SAML2.0 as an Identity provider instead of CAS server. As I'm new to CAS,
can anyone help me out the steps that I need to follow? and I have some
queries like, Do we need to configure the SAML Request & Response
externally?
Hw can we register the Identity provider with the Service Provider & vice
versa?
For suppose, if I use LDAP as users directory. Hw & with whom( IDP/SP ) I
need to register LDAP?



Thanks & Regards,
A SAIRAM

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAB51Xzm9LMu7_Y%2B1-k5JFLnJJ%2BotJ4wcaxx4zYXmfywA5ZSmhQ%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

That got it! Thank you so much, David!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/15d02a8c-f3e7-4d55-9bc4-c67e9c352c4f%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

So, you have

cas.authn.attributeRepository.jdbc[0].username=email


in *cas.properties*? I didn't see it in the ones you copied/pasted earlier.

Dumb question, but if you connect to the database using the same user and
password that you have CAS configured to use, and you run

SELECT * FROM app_user WHERE email=jdgio...@gmail.com


do you get your attributes?

And...assuming you own the database, can you enable query logging on that
end? Or make the JDBC library log what it's doing?


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Tue, May 22, 2018 at 1:18 PM John D Giotta  wrote:

> My "username" column is called email, but even with your suggestions I
> still get the following DEBUG output in logs.
>
> Found [0] attributes for principal [jdgio...@gmail.com] from the
> attribute repository.
>
> This is why I think there something wrong with the query. Log level is set
> to debug, but I still don't see queries. I even set debug to 
> org.springframework.orm.jpa
> for good measure.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/27db9e1c-b36c-44ca-acb2-e240f1eea07d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPUpse_XaCa1vwRWmMNBkRk2hUALLhWuQyHvT%3DMpc%2B7%3Dw%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[Ray Bon]

John,

You may be able to set 'show_sql' for hibernate. CAS properties has 
'Hibernate-specific properties' but I have not used this.

Ray

On Tue, 2018-05-22 at 10:18 -0700, John D Giotta wrote:
My "username" column is called email, but even with your suggestions I still 
get the following DEBUG output in logs.

Found [0] attributes for principal [jdgio...@gmail.com] from the attribute 
repository.

This is why I think there something wrong with the query. Log level is set to 
debug, but I still don't see queries. I even set debug to 
org.springframework.orm.jpa for good measure.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1527010376.1830.8.camel%40uvic.ca.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

My "username" column is called email, but even with your suggestions I 
still get the following DEBUG output in logs.

Found [0] attributes for principal [jdgio...@gmail.com] from the attribute 
repository.

This is why I think there something wrong with the query. Log level is set 
to debug, but I still don't see queries. I even set debug to 
org.springframework.orm.jpa 
for good measure.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/27db9e1c-b36c-44ca-acb2-e240f1eea07d%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

I'm pretty sure that if you enable debug-level logging on
org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see
the SQL query in *cas.log*. You can do that most easily by changing this
line near the top of the file:

warn

to:

debug

You shouldn't even need to restart the server, just wait 5-10 seconds for
it to re-check the logging config file.

But you sparked my curiosity (not the least because I actually did figure
this out once a long time ago for CAS 3.5), so I dug around a bit. The
documentation for the SingleRowJdbcPersonAttributeDao (which is what you're
ultimately configuring) is here:
https://wiki.jasig.org/display/PDM15/JDBC+Attribute+Source.

According to that, the attributes are going to be fetched with a SQL query
like SELECT * FROM USER_DATA WHERE {0} and, by default, the {0} is going to
be replaced with username=*value* (where *value* is the name of the user
you're looking for). If the column in your database that contains the
username is called something other than username, you can change that with
a queryAttributeMapping definition:








(The above will change the {0} from username=*value* to uid=*value*.)

So, reading the CAS documentation here:
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#jdbc
it looks to me like you need this setting:

cas.authn.attributeRepository.jdbc[0].sql=SELECT * FROM app_user WHERE {0}


(I know your current setting lists the columns you want, but I would
suggest starting with this until it works, and then tweak it down if you
really need to.) And, since your app_user table, as near as I can guess,
doesn't have a column named username, you need to set the column you want
to use (this is the equivalent of the queryAttributeMapping XML above):

cas.authn.attributeRepository.jdbc[0].username=id


I might be wrong about the setting above; you might want email in there
instead of id, since that's what your authentication query is using (the
value it's matching against is, I believe, whatever the user is typing in
as his/her username).

The other part of the SingleRowJdbcPersonAttributeDao discussed in the
documentation is the part that maps database column names (the keys) to
attribute names (the values):










That's covered by the other properties we talked about yesterday:

cas.authn.attributeRepository.jdbc[0].attributes.id=uid
cas.authn.attributeRepository.jdbc[0].attributes.first_name=givenName
cas.authn.attributeRepository.jdbc[0].attributes.email=emailaddress
cas.authn.attributeRepository.jdbc[0].attributes.last_name=surname


The database column names are on the left-hand side of the '=', and the
attribute names (what the client application gets) are on the right-hand
side.

Please note that the above is from my reading the documentation only (well,
and getting it working once several years ago on CAS 3.5). I don't have a
CAS-with-JDBC instance configured to try it out on. But hopefully it points
you in the right direction, at least.

Good luck,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]



On Mon, May 21, 2018 at 10:26 PM John D Giotta  wrote:

> Is there any way to show the sql used to get user attributes?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3453ba3-aa88-4e3f-bba8-d96114a6ab37%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOWst8n-UX6rYnjNraSQa0RbVM7t4-Oz47hw-YMousK%3Dw%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

Is there any way to show the sql used to get user attributes?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3453ba3-aa88-4e3f-bba8-d96114a6ab37%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Could be, but as I don't use the jdbc stuff, I can't help you with that.
The {0} gets replaced with some dynamic value generated by the Java code.
My guess would be it's some condition like column=value, but that's pretty
a guess.

I would suggest if you haven't yet to see the CAS log level to debug and
the jdbc library to level to debug and see if that helps you?




David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.


On Mon, May 21, 2018, 16:58 John D Giotta  wrote:

> Same error. Do you think that maybe my select statement is wrong?
> Specifically the `WHERE {0}` That just seems wrong to me. What is {0}?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/46828dc5-72c2-41cf-9596-265e658b5f52%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPKoPfbfSe7_T8Jge%2BjxOHPynMs6SvNWTOv1skWyvtOsA%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

Same error. Do you think that maybe my select statement is wrong? 
Specifically the `WHERE {0}` That just seems wrong to me. What is {0}?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/46828dc5-72c2-41cf-9596-265e658b5f52%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Based on the SELECT, I think these definitions are flipped:

cas.authn.attributeRepository.jdbc[0].attributes.uid=id
cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name
cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email
cas.authn.attributeRepository.jdbc[0].attributes.surname=last_name

The format is  "attribute-name-in-my-repository =
what-i-want-to-call-it-when-its-released" , so you want

cas.authn.attributeRepository.jdbc[0].attributes.id=uid
cas.authn.attributeRepository.jdbc[0].attributes.first_name=givenName
cas.authn.attributeRepository.jdbc[0].attributes.email=emailaddress
cas.authn.attributeRepository.jdbc[0].attributes.last_name=surname

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Mon, May 21, 2018 at 4:28 PM John D Giotta  wrote:

> cas.authn.accept.users=
>
> cas.authn.jdbc.query[0].ddlAuto=none
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
> cas.authn.jdbc.query[0].fieldPassword=password
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=
> cas.authn.jdbc.query[0].passwordEncoder.secret=
> cas.authn.jdbc.query[0].passwordEncoder.strength=10
> cas.authn.jdbc.query[0].passwordEncoder.type=BCRYPT
> cas.authn.jdbc.query[0].sql=SELECT * FROM app_user WHERE email=? AND enabled 
> = 1
> cas.authn.jdbc.query[0].user=u
>
> # User Attribute Settings
> cas.authn.attributeRepository.jdbc[0].dialect=org.hibernate.dialect.MySQLDialect
> cas.authn.attributeRepository.jdbc[0].driverClass=com.mysql.cj.jdbc.Driver
> cas.authn.attributeRepository.jdbc[0].user=u
> cas.authn.attributeRepository.jdbc[0].password=
> cas.authn.attributeRepository.jdbc[0].singleRow=true
> cas.authn.attributeRepository.jdbc[0].sql=SELECT id, first_name, last_name, 
> email FROM app_user WHERE {0}
>
> cas.authn.attributeRepository.jdbc[0].attributes.uid=id
> cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name
> cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email
> cas.authn.attributeRepository.jdbc[0].attributes.surname=last_name
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca06a377-c1db-4a79-a428-142815698536%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOYrE2LJwcgcD7iE%3DSNiW680NMcMZh2%2BWNLZzX089hy6g%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

cas.authn.accept.users=

cas.authn.jdbc.query[0].ddlAuto=none
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=password
cas.authn.jdbc.query[0].password=
cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=
cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=
cas.authn.jdbc.query[0].passwordEncoder.secret=
cas.authn.jdbc.query[0].passwordEncoder.strength=10
cas.authn.jdbc.query[0].passwordEncoder.type=BCRYPT
cas.authn.jdbc.query[0].sql=SELECT * FROM app_user WHERE email=? AND enabled = 1
cas.authn.jdbc.query[0].user=u

# User Attribute Settings
cas.authn.attributeRepository.jdbc[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.attributeRepository.jdbc[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.attributeRepository.jdbc[0].user=u
cas.authn.attributeRepository.jdbc[0].password=
cas.authn.attributeRepository.jdbc[0].singleRow=true
cas.authn.attributeRepository.jdbc[0].sql=SELECT id, first_name, last_name, 
email FROM app_user WHERE {0}

cas.authn.attributeRepository.jdbc[0].attributes.uid=id
cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name
cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email
cas.authn.attributeRepository.jdbc[0].attributes.surname=last_name

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca06a377-c1db-4a79-a428-142815698536%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Can you attach the relevant section of cas.properties (the part where you
define which attributes you're going to resolve) and the service definition
for the SAML SP?

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Mon, May 21, 2018 at 4:22 PM John D Giotta  wrote:

> The error I see on the CAS server is the following:
>
> 2018-05-21 20:15:07,348 INFO
> [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController]
> -  [/cas/idp/profile/SAML2/Callback.+]>
> 2018-05-21 20:15:07,656 WARN
> [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] -  find value for mapped attribute [
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] that
> is based off of [email] in the allowed attributes list. Ensure the original
> attribute [email] is retrieved and contains at least a single value.
> Attribute [
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] will
> and can not be released without the presence of a value.>
> 2018-05-21 20:15:07,664 WARN
> [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] -  find value for mapped attribute [
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] that is
> based off of [givenName] in the allowed attributes list. Ensure the
> original attribute [givenName] is retrieved and contains at least a single
> value. Attribute [
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] will and
> can not be released without the presence of a value.>
> 2018-05-21 20:15:07,670 WARN
> [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] -  find value for mapped attribute [
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname] that is
> based off of [surname] in the allowed attributes list. Ensure the original
> attribute [surname] is retrieved and contains at least a single value.
> Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname]
> will and can not be released without the presence of a value.>
>
> Any ideas?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d7a5818-69d6-4c84-a803-cd108fab3d25%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAN5Z_Y3zgMkCYPJf5K8fVSCxLFqFExZzmr2uD%2BHGUFZtA%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

The error I see on the CAS server is the following:

2018-05-21 20:15:07,348 INFO 
[org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController]
 
- 
2018-05-21 20:15:07,656 WARN 
[org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] that 
is based off of [email] in the allowed attributes list. Ensure the original 
attribute [email] is retrieved and contains at least a single value. 
Attribute 
[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] will 
and can not be released without the presence of a value.>
2018-05-21 20:15:07,664 WARN 
[org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] that is 
based off of [givenName] in the allowed attributes list. Ensure the 
original attribute [givenName] is retrieved and contains at least a single 
value. Attribute 
[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname] will and 
can not be released without the presence of a value.>
2018-05-21 20:15:07,670 WARN 
[org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname] that is 
based off of [surname] in the allowed attributes list. Ensure the original 
attribute [surname] is retrieved and contains at least a single value. 
Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname] 
will and can not be released without the presence of a value.>

Any ideas?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d7a5818-69d6-4c84-a803-cd108fab3d25%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Someone smarter than me may need to weigh in on this... but I'll try.

As I understand it, SAML SPs will accept two forms of attribute names. One
form is that "urn" notation that Shibboleth seems to like:









The other form is the "friendly name," which is basically just a string,
like "cn" or "uid" or "givenName" or whatever. If you're using LDAP (or AD)
as your directory, then it's likely (although not required) that your
friendly names will just be your LDAP attribute names. I haven't used a
JDBC attribute repository with CAS 5, so I'm not sure what your attribute
names are there, but I'm guessing they're similar.

Anyway, CAS 5 lets you define your attributes, and the names you'd like to
return them under, in cas.properties. So, for LDAP, I have:

cas.authn.attributeRepository.ldap[0].attributes.cn:uid
cas.authn.attributeRepository.ldap[0].attributes.displayName:   displayName
cas.authn.attributeRepository.ldap[0].attributes.givenName: givenName
cas.authn.attributeRepository.ldap[0].attributes.mail:  mail
cas.authn.attributeRepository.ldap[0].attributes.memberOf:  memberOf
cas.authn.attributeRepository.ldap[0].attributes.sn:sn
cas.authn.attributeRepository.ldap[0].attributes.tnsIDNumber:   cn


This says that, when I release these attributes to an application, it will
see:

   1. Attributes called displayName, givenName, mail, memberOf, and sn with
   the values of the LDAP attributes of the same name
   2. An attribute called uid that contains the value of the LDAP cn
   attribute (i.e., I "rename" the attribute when I release it to the
   application)
   3. An attribute called cn that contains the value of the LDAP tnsIDNumber
   attribute

You can do the same thing with JDBC (according to the documentation anyway;
I don't have a JDBC source to try it against):

cas.authn.attributeRepository.jdbc[0].attributes.uid:   uid
cas.authn.attributeRepository.jdbc[0].attributes.last_name: sn
cas.authn.attributeRepository.jdbc[0].attributes.first_name:givenName


and so on.

Soin the simple case, where your SAML SP (the client app) will accept
"friendly" names, you can just return the attributes in exactly the same
way as you do for a CAS service. But, in the other case, where your SAML SP
wants the "urn" names, you'll need to convert whatever names you've
configured in cas.properties to the other notation. You can do this by
using a ReturnMappedAttributeReleasePolicy in the service definition:

"attributeReleasePolicy" : {
  "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
  "allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "urn:oid:2.5.4.3",
"displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
"givenName" : "urn:oid:2.5.4.42",
"mail" : "urn:oid:0.9.2342.19200300.100.1.3",
"role" : "urn:newschool:attribute-def:role",
"sn" : "urn:oid:2.5.4.4",
"uid" : "urn:oid:0.9.2342.19200300.100.1.1",
"UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
  }


Determining WHAT the "urn"  values should be is the hardest part. In the
case of the Shibboleth SP (Apache mod_shib), they're defined in
/etc/shibboleth/attribute-resolver.xml.

Note: CAS 5.3, I believe, has added support for returning both the "urn"
and friendly names in the SAML response instead of either/or. I haven't
tried this, but recall seeing it in one of the changelogs...

You might find it helpful to set up a test SAML SP on the RSA IAM Showcase (
https://sptest.iamshowcase.com/). It's free, and dead simple to do
(download their metadata, upload your metadata, create a service registry
entry, done). When you log into their SP, it will display all the
attributes and other SAML data that it got back.

Hope this helps,
--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Mon, May 21, 2018 at 10:46 AM John D Giotta  wrote:

> David,
>
> I'm still trying to understand how user attributes are supposed to work.
> Let's say I'm using JDBC as my source for user data and credentials. If I'm
> writing the JSON service to map datasource fields to SAML attributes, how
> is this done? Is it naming convention? Do I need to include a custom
> mapping Java class?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6131e17-50cc-422f-b9e7-aa33b58b00a9%40apereo.org
> 

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

David,

I'm still trying to understand how user attributes are supposed to work. 
Let's say I'm using JDBC as my source for user data and credentials. If I'm 
writing the JSON service to map datasource fields to SAML attributes, how 
is this done? Is it naming convention? Do I need to include a custom 
mapping Java class?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e6131e17-50cc-422f-b9e7-aa33b58b00a9%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

I've had very little success making the management service work (like other 
things).
I try to follow the documentation, but something is always amiss. 

My personal problem is that I'm very much a TDD developer. I have issues 
not being able to effectively test what I'm doing. 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0525a68-a6b8-4044-af29-6901cde48562%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

I'm not sure I understand the question. If you mean could you copy the
example I provided directly into a jdbc/jpa service registry, then I have
to say I don't know, because I don't know how the information is stored in
the database.

The first example I gave (the Apache one) is a json file from a json
service registry, so if you know how to "import" from a json service
registry to your database-backed one, then yeah, I guess you could do that.

The second example I gave is incomplete; I went to my CAS dashboard and
clicked on the "Registered Services" button, which dumped the entire
registry as JSON, and then I copied that particular entry into the email,
and deleted lots of irrelevant bits. So I would not recommend directly
using that for anything.

If you're to the point of adding "real" services instead of just a couple
of test entities, I suggest you get the management webapp working, and then
use that to manage your services. It's MUCH easier, as it takes care of all
the complexities; you just point-n-click, for the most part.

That's probably a longer answer than you were looking for. :-)

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Wed, May 16, 2018 at 11:56 AM, John D Giotta  wrote:

> Would this example you provided be applicable to a jdbc backend?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/92238712-c2e6-4f29-90e8-
> 955050c92cbc%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOjEvPjEdgTBvEUhJ3T%2B7FM%3DqXnOAXd2hyMJtGw6Md6xA%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

Would this example you provided be applicable to a jdbc backend?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/92238712-c2e6-4f29-90e8-955050c92cbc%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

Here's a JSON definition for an Apache HTTPD with the Shibboleth
mod_shib/shibd plug-in:

{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth";,
  "name" : "Apache Secured By SAML",
  "id" : 1509030300,
  "description" : "CAS development Apache mod_shib/shibd server with
username/password protection",
  "metadataLocation" : "
https://casdev-samlsp.newschool.edu/Shibboleth.sso/Metadata";,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "cn" : "urn:oid:2.5.4.3",
  "displayName" : "urn:oid:2.16.840.1.113730.3.1.241",
  "givenName" : "urn:oid:2.5.4.42",
  "mail" : "urn:oid:0.9.2342.19200300.100.1.3",
  "role" : "urn:newschool:attribute-def:role",
  "sn" : "urn:oid:2.5.4.4",
  "uid" : "urn:oid:0.9.2342.19200300.100.1.1",
  "UDC_IDENTIFIER": "urn:newschool:attribute-def:UDC_IDENTIFIER"
}
  },
  "evaluationOrder" : 1125
}

But if your SP doesn't care about the funky notation, you can just do it
the "regular" way... here's a definition for a test SP created via RSA's
free IAMShowcase site (this is a cut-down copy of the entire registry entry
to show the part you're interested in):

{
"serviceId": "IAMShowcase",
"name": "RSA SAML Test Service Provider",
"theme": null,
"informationUrl": null,
"privacyUrl": null,
"id": 1202469081,
"description": "The URL for the SP that talks to this service is
https://sptest.iamshowcase.com/ixs?idp=",
"evaluationOrder": -1,
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"displayName",
"givenName",
"sn",
"uid"
]
}
}


--Dave





--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Wed, May 16, 2018 at 9:07 AM, John D Giotta  wrote:

> Do you have an example of this?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-
> b712229a227a%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANXC62rntdWM3Mi7Xosa_UvROR-tRDHFw_OEQh0Y_C7pA%40mail.gmail.com.

Re: [cas-user] User Attributes for SAML 2.0

[John D Giotta]

Do you have an example of this?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a71f33b-cc77-4c2a-be89-b712229a227a%40apereo.org.

Re: [cas-user] User Attributes for SAML 2.0

[David Curry]

The same way you do for CAS services, pretty much. Just list what you want
to return. If you need the uri naming, you can use the "return mapped
attributes" feature; there's an example of that in my doc. Although that
may or may not be necessary depending on the SP.

CAS 5.3 has some improved functionality in this area (uri names plus
friendly names at the same time), but we haven't needed it in our
environment (YMMV).

David A. Curry,  CISSP
Director of Information Security
The New School - Information Technology
71 Fifth Ave., 9th Fl. ~ New York, NY 10003
+1 212 229-5300 x4728 ~ david.cu...@newschool.edu
Sent from my phone; please excuse typos and inane auto-corrections.



On Tue, May 15, 2018, 19:32 John D Giotta  wrote:

> How do I set up user attributes for SAML 2.0?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a7ec4d7-6a6f-41cf-be7d-86cb08ea9e70%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANyqQUK_bESb77Br4R9-_zVSGvUJCNPnhT5tODNrDo%2BaQ%40mail.gmail.com.