I am trying to configure a JASIG CAS 3.5 server to release attributes via SAML 1.1 as described here. Unfortulately, nothing I do seems to make it release them to my test application.
I started by using the StubPersonAttributeDao that appears in the default configuration (DeployerConfigContext.xml). My later attempts to set up a JDBC version did not produce any better results.
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
I made sure that my test application was authorized to use CAS and that the attributes were allowed to it.
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- MIS Developers -->
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="6" />
<property name="name" value="Grails run-app" />
<property name="description" value="JCC Developers can use this from any PC within the jccadmin domain." />
<property name="serviceId" value="http://.*.my.domain:8080/.*" />
<property name="evaluationOrder" value="6" />
<property name="allowedAttributes">
<list>
<value>uid</value>
<value>eduPersonAffiliation</value>
<value>groupMembership</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
The attributes are highlighted when you look at them in the CAS services application.
In order to learn whether my attributes were actually working, I created a CAS testing application by using Gradle and the Jetty plugin to give flesh to the sample code on the JASIG website. My application authenticates to the server and then makes a SAML 1.1 request to get the attributes.
I have verified that it is making the correct SAML request.
https://my.test.server/cas/samlValidate?TARGET=http%3A%2F%2Fmy.local.machine%3A8080%2Fcas_tester%2F
It receives the following response from my CAS server.
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
IssueInstant="2017-02-01T14:40:35.328Z"
MajorVersion="1"
MinorVersion="1"
Recipient="http://my.local.machine:8080/cas_tester/"
ResponseID="_a0df351b1081dafe599829f406be79f5">
<Status>
<StatusCode Value="samlp:Success">
</StatusCode>
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_988118abbd06485ab7f1eb684639ce38"
IssueInstant="2017-02-01T14:40:35.328Z"
Issuer="localhost"
MajorVersion="1"
MinorVersion="1">
<Conditions NotBefore="2017-02-01T14:40:35.328Z"
NotOnOrAfter="2017-02-01T14:41:05.328Z">
<AudienceRestrictionCondition>
<Audience>http://my.local.machine:8080/cas_tester/</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2017-02-01T14:40:34.312Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<Subject>
<NameIdentifier>coleew01</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
</Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
No matter what I do, it doesn't show any attributes in the response. What am I doing wrong?
Thanks for any help you can give me.
It turns out that the problem was far away from the attribute configuration. In my credentialsToPrincipalResolvers bean, there was no reference to the attribute resolver.
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
I put a reference to the attributeRepository into the bean for the UsernamePasswordCredentialsToPrincipalResolver.
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository">
<ref bean="attributeRepository"/>
</property>
</bean>
And then my attributes came through. Deo gratias!