Hi, I'm talking about the CAS SLO: when calling /cas/logout, it should trigger the destruction of the web session of your Shiro application. To use SAML, you need to configure SAML on the Shiro application side by using the *setValidationProtocol* method of the *CasRealm* object (casRealm.validationProtocol = SAML). Unless you use CAS 4.0-RCx, the SAML validation endpoint is available out-of-the-box in the CAS server ( https://wiki.jasig.org/display/CASUM/SAML+1.1). Best regards, Jérôme
2014/1/16 Eduardo J. Ortega U [via Shiro User] < [email protected]> > Hi, Jérôme: > > Thanks for you reply. A couple of questions, though: > > - When you say sign out should work, you mean I should call /logout > from my app and it should log me out of CAS, or I should go to cas/logout > and that should log me out of my application? > - How do I go about using the SAML validation? Is this something I > should setup in shiro? On CAS? Both? Can you point me to any docs / > examples? > > Thanks, > > -- > Eduardo J. Ortega > Tel: 57+1+2553580 > Cel: 57+317+4415156 > Zürich > CL 72 5 83 Piso 11, Bogotá, CO. > > On 16/01/14 04:18, jleleu wrote: > > Hi, > > Regarding logout, I can't remember exactly if I did the test or someone > else, but I think it works. Did you try some debugging in the > SingleSignOutFilter? > > To get user's attributes, things are a little more complex: > - you need to retrieve the user's attributes inside the CAS server (should > be what you did) > - define that you want to push these attributes for the CAS service > representing the Shiro application (*allowedAttributes* or > *ignore*parameter for this CAS service) > - use the SAML validation > And then, the user's attributes will be available as the second > principal:https://github.com/apache/shiro/blob/1.2.x/support/cas/src/main/java/org/apache/shiro/cas/CasRealm.java#L162 > . > > Best regards, > Jérôme > > > > > 2014/1/15 Eduardo J. Ortega U [via Shiro User] <[hidden email] > <http://user/SendEmail.jtp?type=node&node=7579517&i=0>> > > > Hi, all: > > We are setting up out first Shiro enabled application with CAS > authentication. Authentication seems to work fine, however, we have two > issues: > > - We want to have Single Sign out, so that when a user signs out of > CAS, he/she is signed out of CAS and therefore all apps. Currently, if I > logout of the application (using Shiro's logout feature), and then try to > access one of the protected pages, browser gets redirected to CAS, which in > turn validates and redirects to http://myhost/myapp/shiro-cas and then > /shiro-cas redirects it to the requested URL of the application, so > effectively the user is logged back in the application. Also, if the user > logs out of CAS (visiting http://myhost/CAS/logout) its CAS session > ends but the application session remains, so he / she can still access the > protected areas. I set up the following on myapp web.xml: > > > <filter> > <filter-name>CAS Single Sign Out Filter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > </filter> > > <filter-mapping> > <filter-name>CAS Single Sign Out Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <listener> > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > </listener> > > But it is not working. What am I missing? > > - We want to access some of the user attributes from inside our > application. I set up CAS properties to map the attributes, setting this on > CAS deployerConfigContext.xml > > <bean id="attributeRepository" > class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> > <property name="contextSource" ref="contextSource" /> > <property name="baseDN" value="ou=People,dc=example,dc=com,dc=co" > /> > <property name="requireAllQueryAttributes" value="true" /> > <property name="queryAttributeMapping"> > <map> > <entry key="username" value="uid" /> > </map> > </property> > <property name="resultAttributeMapping"> > <map> > <!-- Mapping beetween LDAP entry attributes (key) and > Principal's (value) --> > <entry value="Name" key="displayName" /> > <entry key="distinguishedName" value="dn" /> > </map> > </property> > </bean> > And then access them from inside the Shiro application like this: > > AttributePrincipal principal = > (AttributePrincipal)request.getUserPrincipal(); > Map attributes = principal.getAttributes(); > > But we get an error saying we cannot cast Request to AttributePrincipal. I > guess I am missing something here, too. > > Any help is greatly appreciated. > > > -- > -- > Eduardo J. Ortega > Tel: 57+1+2553580 > Cel: 57+317+4415156 > Zürich > CL 72 5 83 Piso 11, Bogotá, CO. > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510.html > To start a new topic under Shiro User, email[hidden email] > <http://user/SendEmail.jtp?type=node&node=7579517&i=1> > To unsubscribe from Shiro User, click here< > . > NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.Bas > icNamespa > ce-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > <http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579514.html > Sent from the Shiro User mailing list archive at Nabble.com. > > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579517.html > To start a new topic under Shiro User, email > [email protected] > To unsubscribe from Shiro User, click > here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=> > . > NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-Single-Sign-Out-and-LDAP-attribute-retrieval-tp7579510p7579518.html Sent from the Shiro User mailing list archive at Nabble.com.
