I'm getting conflicting stories on how attributes appear in the CAS response after a successful login. What is the official way attributes are to be presented to the service in a CAS 3 response? DTD or XML schema available?
-- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
See http://www.ja-sig.org/issues/browse/CAS-655
It's helpful to me. Regards, Shi Yusen/Beijing Langhua Ltd. 在 2009-03-10二的 16:50 -0500,Aaron Shettleroe写道: > I'm getting conflicting stories on how attributes appear in the CAS response after a successful login. What is the official way attributes are to be presented to the service in a CAS 3 response? DTD or XML schema available? -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
In reply to this post by Aaron Shettleroe
> I'm getting conflicting stories on how attributes appear in the CAS response after a successful login.
I can see why this would be confusing. I ran across the Jira issue that Shi mentioned, and mistakenly thought that the CAS XML protocol had been extended to support attributes. This is not the case. Code review shows the CAS protocol is unchanged; attributes are _not_ transmitted in the service ticket validation response in the CAS 2 protocol (/serviceValidate). See for yourself, http://developer.jasig.org/source/browse/jasigsvn/cas3/tags/cas-3-3-1-final/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp?r=42553. The Jira issue provides a roadmap to _extend_ the CAS 2 protocol to support attribute release. It would be up to you to do this. CAS does support attribute release out of the box. For a while (since 3.3.0?), CAS has supported the SAML 1.1 protocol, which contains <AttributeStatement> elements containing the attributes you configure to release. Example SAML 1.1 payloads containing attributes can be found at http://www.middleware.vt.edu/doku.php?id=middleware:cas:client#sample_saml_responses. Hope that clears things up. M -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
In reply to this post by Aaron Shettleroe
I already made a request for a standard as there isn't standard defined
to obtain users attributes on the cas ticket. The cas ticket give only the identifiant of the user by default... If you want to provide attributes in the ticket you need to modify casServiceValidationSuccess.jsp. On our side we use your 3rd option : <cas:attribute name="attr.key" value="attr.value"/> We also modified phpCAS for this kind of ticket... But an other solution to avoid problems of non standard is to use the samlValidate if you can... Normaly if i'm not wrong next CAS version (CAS v4) should integrate SAML 2.0 so this will solve the problem. But we will need to modify applications to be able to read SAML... - Julien. Aaron Shettleroe a écrit : > According to the link you provided attributes appear like: > ... > <cas:attributes> > <cas:attribute> > <cas:name>${fn:escapeXml(attr.key)}</cas:name> > <cas:value>${fn:escapeXml(attr.value)}</cas:value> > </cas:attribute> > </cas:attributes> > ... > > However, that is not how the Java JA-SIG CAS 3.1.3 client parses them. It expects them in the form of: > <cas:attributes> > <cas:{attr.key}>attr.value</cas:{attr.key}> > </cas:attributes> > > I've also seen: > <cas:attribute name="attr.key" value="attr.value"/> > > Is there even a standard? According to the link CAS doesn't provide putting the attributes in the response found in casServiceValidationSuccess.jsp. What gives? > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
Thank you all for this helpful thread. I am trying to set up CAS in a similar way so that we can return basic user attributes (such as display name, email, etc) in the validation-success response. The documentation on how one might do this is sparse, to say the least.
Julien, Would you be able to provide the jsp and phpCAS changes you made to set up your system or a link to more info if you have already posted them? Thanks for your help, - Adam
On Wed, Mar 11, 2009 at 9:42 AM, Julien Gribonvald <[hidden email]> wrote: I already made a request for a standard as there isn't standard defined to obtain users attributes on the cas ticket. -- |
Better I provide you all our custom files. But all here isn't official,
it's only our customs... One things for phpCAS, it's an unofficial library, and must only be used in waiting SAML use in phpCAS. and to obtain the attribute you should make a request after authentication on the method phpCAS::getAttribute('givenName'); to obtain the attribute givenName. I join an example of use (index.php), but it's only an example... Also a warning with charset, we use UTF-8, so the cas web.xml contains a special filter for UTF-8 encoding, like in php CAS we make some utf_encode and utf_decode... For CAS we use the cas toolbox 3.3.1 from ESUP, so if you use the same packaging, you have only to put our custom directory on the custom's cas toolbox. Hope this will help. Thanks - Julien Adam Franco a écrit : > Thank you all for this helpful thread. I am trying to set up CAS in a > similar way so that we can return basic user attributes (such as > display name, email, etc) in the validation-success response. The > documentation on how one might do this is sparse, to say the least. > > Julien, > > Would you be able to provide the jsp and phpCAS changes you made to > set up your system or a link to more info if you have already posted them? > > Thanks for your help, > > - Adam > > > > On Wed, Mar 11, 2009 at 9:42 AM, Julien Gribonvald > <[hidden email] <mailto:[hidden email]>> wrote: > > I already made a request for a standard as there isn't standard > defined to obtain users attributes on the cas ticket. > > The cas ticket give only the identifiant of the user by default... > If you want to provide attributes in the ticket you need to modify > casServiceValidationSuccess.jsp. > > On our side we use your 3rd option : > > > <cas:attribute name="attr.key" value="attr.value"/> > > We also modified phpCAS for this kind of ticket... > > But an other solution to avoid problems of non standard is to use > the samlValidate if you can... > > Normaly if i'm not wrong next CAS version (CAS v4) should > integrate SAML 2.0 so this will solve the problem. But we will > need to modify applications to be able to read SAML... > > - Julien. > > > Aaron Shettleroe a écrit : > > According to the link you provided attributes appear like: > ... > <cas:attributes> > <cas:attribute> > <cas:name>${fn:escapeXml(attr.key)}</cas:name> > <cas:value>${fn:escapeXml(attr.value)}</cas:value> > </cas:attribute> > </cas:attributes> > ... > > However, that is not how the Java JA-SIG CAS 3.1.3 client > parses them. It expects them in the form of: > <cas:attributes> > <cas:{attr.key}>attr.value</cas:{attr.key}> > </cas:attributes> > > I've also seen: > <cas:attribute name="attr.key" value="attr.value"/> > > Is there even a standard? According to the link CAS doesn't > provide putting the attributes in the response found in > casServiceValidationSuccess.jsp. What gives? > > > > > -- > You are currently subscribed to [hidden email] > <mailto:[hidden email]> as: [hidden email] > <mailto:[hidden email]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [hidden email] as: [hidden email] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user <?php // // phpCAS proxy client // // import phpCAS lib include_once('./CAS/CAS.php'); // Activation de la log phpCAS phpCAS::setDebug('logCAS.log'); // initialize phpCAS phpCAS::client(CAS_VERSION_2_0,'cas.host.1',443,'cas_url_complement'); // set the language to french phpCAS::setLang(PHPCAS_LANG_FRENCH); // no SSL validation for the CAS server phpCAS::setNoCasServerValidation(); // force CAS authentication phpCAS::forceAuthentication(); // logout if desired if (isset($_REQUEST['logout'])) { phpCAS::logout(); } // for this test, simply print that the authentication was successfull ?> <html> <head> <title>phpCAS simple client</title> </head> <body> <h1>Successfull Authentication!</h1> <p><a href="?logout=">Logout</a></p> <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p> <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p> <p>attribute givenName is <?php echo phpCAS::getAttribute('givenName');?></b>.</p> </body> </html> ![]() ![]() |
In reply to this post by Aaron Shettleroe
Well, I'm not sure what happened, but after rebuilding CAS several more times we are now successfully getting multiple attributes returned. Thanks for your help, Julien!
Adam -- Adam Franco Middlebury College On Wed, Mar 11, 2009 at 4:55 PM, Adam Franco <[hidden email]> wrote: Thank you for your help Julien. -- |
Free forum by Nabble | Edit this page |