CAS attributes and how they appear in the CAS response

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CAS attributes and how they appear in the CAS response

Aaron Shettleroe
I'm getting conflicting stories on how attributes appear in the CAS response after a successful login.  What is the official way attributes are to be presented to the service in a CAS 3 response?  DTD or XML schema available?
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Shi Yusen
See http://www.ja-sig.org/issues/browse/CAS-655

It's helpful to me.

Regards,

Shi Yusen/Beijing Langhua Ltd.

在 2009-03-10二的 16:50 -0500,Aaron Shettleroe写道:
> I'm getting conflicting stories on how attributes appear in the CAS response after a successful login.  What is the official way attributes are to be presented to the service in a CAS 3 response?  DTD or XML schema available?


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Marvin Addison
In reply to this post by Aaron Shettleroe
> I'm getting conflicting stories on how attributes appear in the CAS response after a successful login.

I can see why this would be confusing.  I ran across the Jira issue
that Shi mentioned, and mistakenly thought that the CAS XML protocol
had been extended to support attributes.  This is not the case.  Code
review shows the CAS protocol is unchanged; attributes are _not_
transmitted in the service ticket validation response in the CAS 2
protocol (/serviceValidate).  See for yourself,
http://developer.jasig.org/source/browse/jasigsvn/cas3/tags/cas-3-3-1-final/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp?r=42553.
 The Jira issue provides a roadmap to _extend_ the CAS 2 protocol to
support attribute release.  It would be up to you to do this.

CAS does support attribute release out of the box.  For a while (since
3.3.0?), CAS has supported the SAML 1.1 protocol, which contains
<AttributeStatement> elements containing the attributes you configure
to release.  Example SAML 1.1 payloads containing attributes can be
found at http://www.middleware.vt.edu/doku.php?id=middleware:cas:client#sample_saml_responses.

Hope that clears things up.
M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Julien Gribonvald
In reply to this post by Aaron Shettleroe
I already made a request for a standard as there isn't standard defined
to obtain users attributes on the cas ticket.

The cas ticket give only the identifiant of the user by default... If
you want to provide attributes in the ticket you need to modify
casServiceValidationSuccess.jsp.

On our side we use your 3rd option :

<cas:attribute name="attr.key" value="attr.value"/>

We also modified phpCAS for this kind of ticket...

But an other solution to avoid problems of non standard is to use the
samlValidate if you can...

Normaly if i'm not wrong next CAS version (CAS v4) should integrate SAML
2.0 so this will solve the problem. But we will need to modify
applications to be able to read SAML...

- Julien.


Aaron Shettleroe a écrit :

> According to the link you provided attributes appear like:
> ...
> <cas:attributes>
>   <cas:attribute>
>     <cas:name>${fn:escapeXml(attr.key)}</cas:name>
>     <cas:value>${fn:escapeXml(attr.value)}</cas:value>
>   </cas:attribute>
> </cas:attributes>
> ...
>
> However, that is not how the Java JA-SIG CAS 3.1.3 client parses them.  It expects them in the form of:
> <cas:attributes>
>   <cas:{attr.key}>attr.value</cas:{attr.key}>
> </cas:attributes>
>
> I've also seen:
> <cas:attribute name="attr.key" value="attr.value"/>
>
> Is there even a standard?  According to the link CAS doesn't provide putting the attributes in the response found in casServiceValidationSuccess.jsp. What gives?
>  


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Adam Franco
Thank you all for this helpful thread.  I am trying to set up CAS in a similar way so that we can return basic user attributes (such as display name, email, etc) in the validation-success response. The documentation on how one might do this is sparse, to say the least.

Julien,

Would you be able to provide the jsp and phpCAS changes you made to set up your system or a link to more info if you have already posted them?

Thanks for your help,

- Adam



On Wed, Mar 11, 2009 at 9:42 AM, Julien Gribonvald <[hidden email]> wrote:
I already made a request for a standard as there isn't standard defined to obtain users attributes on the cas ticket.

The cas ticket give only the identifiant of the user by default... If you want to provide attributes in the ticket you need to modify casServiceValidationSuccess.jsp.

On our side we use your 3rd option :


<cas:attribute name="attr.key" value="attr.value"/>

We also modified phpCAS for this kind of ticket...

But an other solution to avoid problems of non standard is to use the samlValidate if you can...

Normaly if i'm not wrong next CAS version (CAS v4) should integrate SAML 2.0 so this will solve the problem. But we will need to modify applications to be able to read SAML...

- Julien.


Aaron Shettleroe a écrit :

According to the link you provided attributes appear like:
...
<cas:attributes>
 <cas:attribute>
   <cas:name>${fn:escapeXml(attr.key)}</cas:name>
   <cas:value>${fn:escapeXml(attr.value)}</cas:value>
 </cas:attribute>
</cas:attributes>
...

However, that is not how the Java JA-SIG CAS 3.1.3 client parses them.  It expects them in the form of:
<cas:attributes>
 <cas:{attr.key}>attr.value</cas:{attr.key}>
</cas:attributes>

I've also seen:
<cas:attribute name="attr.key" value="attr.value"/>

Is there even a standard?  According to the link CAS doesn't provide putting the attributes in the response found in casServiceValidationSuccess.jsp. What gives?
 


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Julien Gribonvald
Better I provide you all our custom files. But all here isn't official,
it's only our customs...

One things for phpCAS, it's an unofficial library, and must only be used
in waiting SAML use in phpCAS. and to obtain the attribute you should
make a request after authentication on the method
phpCAS::getAttribute('givenName'); to obtain the attribute givenName. I
join an example of use (index.php), but it's only an example...

Also a warning with charset, we use UTF-8, so the cas web.xml contains a
special filter for UTF-8 encoding, like in php CAS we make some
utf_encode and utf_decode...

For CAS we use the cas toolbox 3.3.1 from ESUP, so if you use the same
packaging, you have only to put our custom directory on the custom's cas
toolbox.

Hope this will help.

Thanks

- Julien

Adam Franco a écrit :

> Thank you all for this helpful thread.  I am trying to set up CAS in a
> similar way so that we can return basic user attributes (such as
> display name, email, etc) in the validation-success response. The
> documentation on how one might do this is sparse, to say the least.
>
> Julien,
>
> Would you be able to provide the jsp and phpCAS changes you made to
> set up your system or a link to more info if you have already posted them?
>
> Thanks for your help,
>
> - Adam
>
>
>
> On Wed, Mar 11, 2009 at 9:42 AM, Julien Gribonvald
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     I already made a request for a standard as there isn't standard
>     defined to obtain users attributes on the cas ticket.
>
>     The cas ticket give only the identifiant of the user by default...
>     If you want to provide attributes in the ticket you need to modify
>     casServiceValidationSuccess.jsp.
>
>     On our side we use your 3rd option :
>
>
>     <cas:attribute name="attr.key" value="attr.value"/>
>
>     We also modified phpCAS for this kind of ticket...
>
>     But an other solution to avoid problems of non standard is to use
>     the samlValidate if you can...
>
>     Normaly if i'm not wrong next CAS version (CAS v4) should
>     integrate SAML 2.0 so this will solve the problem. But we will
>     need to modify applications to be able to read SAML...
>
>     - Julien.
>
>
>     Aaron Shettleroe a écrit :
>
>         According to the link you provided attributes appear like:
>         ...
>         <cas:attributes>
>          <cas:attribute>
>            <cas:name>${fn:escapeXml(attr.key)}</cas:name>
>            <cas:value>${fn:escapeXml(attr.value)}</cas:value>
>          </cas:attribute>
>         </cas:attributes>
>         ...
>
>         However, that is not how the Java JA-SIG CAS 3.1.3 client
>         parses them.  It expects them in the form of:
>         <cas:attributes>
>          <cas:{attr.key}>attr.value</cas:{attr.key}>
>         </cas:attributes>
>
>         I've also seen:
>         <cas:attribute name="attr.key" value="attr.value"/>
>
>         Is there even a standard?  According to the link CAS doesn't
>         provide putting the attributes in the response found in
>         casServiceValidationSuccess.jsp. What gives?
>          
>
>
>
>     --
>     You are currently subscribed to [hidden email]
>     <mailto:[hidden email]> as: [hidden email]
>     <mailto:[hidden email]>
>     To unsubscribe, change settings or access archives, see
>     http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<?php

//
// phpCAS proxy client
//

// import phpCAS lib
include_once('./CAS/CAS.php');
// Activation de la log phpCAS
phpCAS::setDebug('logCAS.log');

// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'cas.host.1',443,'cas_url_complement');

 // set the language to french
phpCAS::setLang(PHPCAS_LANG_FRENCH);

// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

// logout if desired
if (isset($_REQUEST['logout'])) {
        phpCAS::logout();
}

// for this test, simply print that the authentication was successfull
?>
<html>
  <head>
    <title>phpCAS simple client</title>
  </head>
  <body>
    <h1>Successfull Authentication!</h1>
        <p><a href="?logout=">Logout</a></p>
    <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
    <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
        <p>attribute givenName is <?php echo phpCAS::getAttribute('givenName');?></b>.</p>
   
  </body>
</html>

ESCO-custom[cas-toolbox-3.3.1-1].zip (12K) Download Attachment
ESCO-[phpCAS-1.0.1].zip (510K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CAS attributes and how they appear in the CAS response

Adam Franco
In reply to this post by Aaron Shettleroe
Well, I'm not sure what happened, but after rebuilding CAS several more times we are now successfully getting multiple attributes returned. Thanks for your help, Julien!

Adam

--

Adam Franco
Middlebury College

On Wed, Mar 11, 2009 at 4:55 PM, Adam Franco <[hidden email]> wrote:
Thank you for your help Julien.

We now have been able to get an attribute returning in the CAS response, but we are now stumped in that only a single attribute (the last one) is ever returned. I'm wondering if anyone on this list might be able to point us in the right direction to get multiple attributes returned.

We have a slightly different configuration than in the cas-toolkit as we have an Active Directory LDAP back-end, but otherwise our configuration is almost the same as yours. To simplify our debugging, we inserted the values directly into our deployerConfigContext.xml rather than use the separate configuration files. Below is our attributeRepository configuration:

       <bean id="attributeRepository"
               class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
               <property name="baseDN" value="CN=Users,DC=middlebury,DC=edu" />
               <!-- This query is used to find the entry for populating attributes. {0} will be replaced by the new Principal ID extracted from the ldap -->
               <property name="query" value="(sAMAccountName={0})" />

               <property name="contextSource" ref="contextSource" />
               <property name="ldapAttributesToPortalAttributes">
                      <map>
                               <!-- Mapping beetween LDAP entry's attributes (key) and Principal"s (value) -->
                              <entry key="extensionAttribute12" value="extensionAttribute12" />
                              <entry key="givenName" value="givenName" />
                              <entry key="mail" value="EMail" />
                              <entry key="sn" value="sn" />
                      </map>
              </property>
       </bean>

When turning on DEBUG logging and authenticating, I get the log output indicating that values have been found for all of the attributes specified in the config:

       2009-03-11 16:53:42,503 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Attempting to create TicketGrantingTicket for [username: afranco]
       2009-03-11 16:53:42,516 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: afranco]
       2009-03-11 16:53:42,516 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Attempting to resolve a principal...
       2009-03-11 16:53:42,517 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Attempting to resolve a principal...
       2009-03-11 16:53:42,517 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [afranco]
       2009-03-11 16:53:42,517 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[afranco]}' for uid='afranco'
       2009-03-11 16:53:42,517 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Constructed argument array '[[afranco]]' from the defaultAttributeName='username'
       2009-03-11 16:53:42,522 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'mail' from byte[] to String
       2009-03-11 16:53:42,522 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[EMail]' for source attribute 'mail'
       2009-03-11 16:53:42,522 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'sn' from byte[] to String
       2009-03-11 16:53:42,522 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[sn]' for source attribute 'sn'
       2009-03-11 16:53:42,523 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'extensionAttribute12' from byte[] to String
       2009-03-11 16:53:42,523 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[extensionAttribute12]' for source attribute 'extensionAttribute12'
       2009-03-11 16:53:42,523 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'givenName' from byte[] to String
       2009-03-11 16:53:42,523 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[givenName]' for source attribute 'givenName'
       2009-03-11 16:53:42,523 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved afranco. Trying LDAP resolve now...
       2009-03-11 16:53:42,523 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter "(sAMAccountName=afranco)"
       2009-03-11 16:53:42,523 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - returning searchcontrols: scope=2; search base=CN=Users,DC=middlebury,DC=edu; attributes=[sAMAccountName]; timeout=1000
       2009-03-11 16:53:42,527 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved afranco to afranco
       2009-03-11 16:53:42,527 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Creating SimplePrincipal for [afranco]
       2009-03-11 16:53:42,527 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[afranco]}' for uid='afranco'
       2009-03-11 16:53:42,527 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Constructed argument array '[[afranco]]' from the defaultAttributeName='username'
       2009-03-11 16:53:42,531 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'mail' from byte[] to String
       2009-03-11 16:53:42,532 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[EMail]' for source attribute 'mail'
       2009-03-11 16:53:42,532 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'sn' from byte[] to String
       2009-03-11 16:53:42,532 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[sn]' for source attribute 'sn'
       2009-03-11 16:53:42,532 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'extensionAttribute12' from byte[] to String
       2009-03-11 16:53:42,532 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[extensionAttribute12]' for source attribute 'extensionAttribute12'
       2009-03-11 16:53:42,532 WARN [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Converting value 0 of LDAP attribute 'givenName' from byte[] to String
       2009-03-11 16:53:42,532 DEBUG [org.jasig.services.persondir.support.ldap.PersonAttributesMapper] - Added 1 attributes under mapped names '[givenName]' for source attribute 'givenName'
       2009-03-11 16:53:42,533 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-2-ZIW3OgYA3sAtIrAdSEGSwMq4R9moUkDGfcFQYR6JXJWFB2O0fk-cas] to registry.
       2009-03-11 16:53:42,535 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY]
       2009-03-11 16:53:42,535 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Added cookie with name [CASTGC] and value [TGT-2-ZIW3OgYA3sAtIrAdSEGSwMq4R9moUkDGfcFQYR6JXJWFB2O0fk-cas]
       2009-03-11 16:53:42,536 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-2-ZIW3OgYA3sAtIrAdSEGSwMq4R9moUkDGfcFQYR6JXJWFB2O0fk-cas]
       2009-03-11 16:53:42,536 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-2-ZIW3OgYA3sAtIrAdSEGSwMq4R9moUkDGfcFQYR6JXJWFB2O0fk-cas] found in registry.
       2009-03-11 16:53:42,538 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-2-RevXLBeywUmfNDbl7d7D-cas] to registry.
       2009-03-11 16:53:42,538 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-2-RevXLBeywUmfNDbl7d7D-cas] for service [http://termite.middlebury.edu/~afranco/CAS_Test/] for user [afranco]
       2009-03-11 16:53:42,557 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://termite.middlebury.edu/~afranco/CAS_Test/
       2009-03-11 16:53:42,559 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-2-RevXLBeywUmfNDbl7d7D-cas]
       2009-03-11 16:53:42,559 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-2-RevXLBeywUmfNDbl7d7D-cas] found in registry.
       2009-03-11 16:53:42,559 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-2-RevXLBeywUmfNDbl7d7D-cas] from registry

However, only the last of the attributes (in this case the sn) is printed out in the response:

       <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
                       <cas:authenticationSuccess>
                                       <cas:user>afranco</cas:user>
                                       <cas:attributes>
                                               <cas:attribute>
                                               <cas:name>sn</cas:name>
                                               <cas:value>Franco</cas:value>
                                               </cas:attribute>
                                       </cas:attributes>
                       </cas:authenticationSuccess>
       </cas:serviceResponse>

Does anyone have any idea how I might debug this issue? For instance, where should the auth.principal.attributes property be initialized?

Thanks for your help!

Adam

--

Adam Franco
Middlebury College
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user