Re: [cas-user] User Attributes for SAML 2.0

2018-11-17 Thread Willian Gonzales
David, I really want to thank for helping me on this. I've finally managed to retrieve a multiple value attribute, just like you've said the responsible to release attributes for CAS is the Authentication Handler. In my case Active Directory. So, what i've done was create a custom attribute

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread David Curry
Well, I also said we don't do that here, so I don't actually know how to do it, just that I think you can. :-) But seriously, I believe it depends on what you're using for an attribute repository. And I'm not sure whether it's going to give you what you want:

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread Willian Gonzales
David, What i want is to log in into multiple AWS Accounts using SAML2. I've managed to log into only one account. But to log in into multiple accounts you have to send the response like this: https://aws.amazon.com/SAML/Attributes/Role

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread David Curry
The "ReturnMappedAttributeReleasePolicy" is not a method for returning attribute values, it's a method for changing the name of an attribute when you release it. For example, suppose you have an application that wants you to give it an attribute called "LastName". But your Active Directory, of

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread Willian Gonzales
David, I'm using Json Service Registry. You're telling me that the responsible for multi-value attributes is not the service registry but the repository 'im using? (In my case Active Directory). So, let me show you the example i'm using. I need to map a multi-value attribute for the attribute

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread David Curry
Since I'm the only "David" I see in this thread I assume you're asking me... but I'm not sure I understand the question. Where are you putting the JSON that you're expecting CAS to consume it and then spit it out in a SAML response? Normally, CAS will get the attributes from whatever repositories

Re: [cas-user] User Attributes for SAML 2.0

2018-11-16 Thread Willian Gonzales
Hi David! i'm praying that you see my question now because i really need your help. I want to thank you because you really helped me showing the .json configurattion. But i need some help on this. How do i manage to do a multi value attribute on json. I need the SAML response to be like this

Re: [cas-user] User Attributes for SAML 2.0

2018-05-28 Thread David Curry
You should probably start by reading the CAS SAML documentation: https://apereo.github.io/cas/development/installation/Configuring-SAML2-Authentication.html And then you can look at, for example, the instructions here:

Re: [cas-user] User Attributes for SAML 2.0

2018-05-28 Thread sai ram
Presently, we are using CAS as an Identity Provider but now we want to use SAML2.0 as an Identity provider instead of CAS server. As I'm new to CAS, can anyone help me out the steps that I need to follow? and I have some queries like, Do we need to configure the SAML Request & Response externally?

Re: [cas-user] User Attributes for SAML 2.0

2018-05-24 Thread John D Giotta
That got it! Thank you so much, David! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread David Curry
So, you have cas.authn.attributeRepository.jdbc[0].username=email in *cas.properties*? I didn't see it in the ones you copied/pasted earlier. Dumb question, but if you connect to the database using the same user and password that you have CAS configured to use, and you run SELECT * FROM

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread Ray Bon
John, You may be able to set 'show_sql' for hibernate. CAS properties has 'Hibernate-specific properties' but I have not used this. Ray On Tue, 2018-05-22 at 10:18 -0700, John D Giotta wrote: My "username" column is called email, but even with your suggestions I still get the following DEBUG

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread John D Giotta
My "username" column is called email, but even with your suggestions I still get the following DEBUG output in logs. Found [0] attributes for principal [jdgio...@gmail.com] from the attribute repository. This is why I think there something wrong with the query. Log level is set to debug, but

Re: [cas-user] User Attributes for SAML 2.0

2018-05-22 Thread David Curry
I'm pretty sure that if you enable debug-level logging on org.apereo.services.persondir in */etc/cas/config/log4j2.xml*, you'll see the SQL query in *cas.log*. You can do that most easily by changing this line near the top of the file: warn to: debug You shouldn't even need to restart the

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread John D Giotta
Is there any way to show the sql used to get user attributes? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Could be, but as I don't use the jdbc stuff, I can't help you with that. The {0} gets replaced with some dynamic value generated by the Java code. My guess would be it's some condition like column=value, but that's pretty a guess. I would suggest if you haven't yet to see the CAS log level to

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread John D Giotta
Same error. Do you think that maybe my select statement is wrong? Specifically the `WHERE {0}` That just seems wrong to me. What is {0}? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions:

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Based on the SELECT, I think these definitions are flipped: cas.authn.attributeRepository.jdbc[0].attributes.uid=id cas.authn.attributeRepository.jdbc[0].attributes.givenName=first_name cas.authn.attributeRepository.jdbc[0].attributes.emailaddress=email

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread John D Giotta
cas.authn.accept.users= cas.authn.jdbc.query[0].ddlAuto=none cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.query[0].fieldPassword=password cas.authn.jdbc.query[0].password=

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Can you attach the relevant section of cas.properties (the part where you define which attributes you're going to resolve) and the service definition for the SAML SP? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread John D Giotta
The error I see on the CAS server is the following: 2018-05-21 20:15:07,348 INFO [org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlProfileCallbackHandlerController] - 2018-05-21 20:15:07,656 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] -

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread David Curry
Someone smarter than me may need to weigh in on this... but I'll try. As I understand it, SAML SPs will accept two forms of attribute names. One form is that "urn" notation that Shibboleth seems to like: The other form is the "friendly name," which is basically just a string, like "cn"

Re: [cas-user] User Attributes for SAML 2.0

2018-05-21 Thread John D Giotta
David, I'm still trying to understand how user attributes are supposed to work. Let's say I'm using JDBC as my source for user data and credentials. If I'm writing the JSON service to map datasource fields to SAML attributes, how is this done? Is it naming convention? Do I need to include a

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread John D Giotta
I've had very little success making the management service work (like other things). I try to follow the documentation, but something is always amiss. My personal problem is that I'm very much a TDD developer. I have issues not being able to effectively test what I'm doing. -- - Website:

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread David Curry
I'm not sure I understand the question. If you mean could you copy the example I provided directly into a jdbc/jpa service registry, then I have to say I don't know, because I don't know how the information is stored in the database. The first example I gave (the Apache one) is a json file from a

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread John D Giotta
Would this example you provided be applicable to a jdbc backend? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread David Curry
Here's a JSON definition for an Apache HTTPD with the Shibboleth mod_shib/shibd plug-in: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "https://casdev-samlsp.newschool.edu/shibboleth;, "name" : "Apache Secured By SAML", "id" : 1509030300,

Re: [cas-user] User Attributes for SAML 2.0

2018-05-16 Thread John D Giotta
Do you have an example of this? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS

Re: [cas-user] User Attributes for SAML 2.0

2018-05-15 Thread David Curry
The same way you do for CAS services, pretty much. Just list what you want to return. If you need the uri naming, you can use the "return mapped attributes" feature; there's an example of that in my doc. Although that may or may not be necessary depending on the SP. CAS 5.3 has some improved