Marcel,
I have not implemented the surrogate feature so my understanding may be off,
but I think what gets sent to the service is all about the surrogate. Since the
surrogate is not authenticating, it has no access to authentication attributes.
Additional attributes can be extracted from ldap (after authentication), these
I hope would be for the surrogate ({user}, below). Image the scenario where the
surrogates were in a different ou than authenticating user.
I had intended to include this in my last email (sorry if it caused confusion):
cas.authn.attributeRepository.ldap[0].id=people
cas.authn.attributeRepository.ldap[0].order=1
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.sn=sn
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldaplocal.uvic.ca:636
cas.authn.attributeRepository.ldap[0].connectTimeout=PT3S
cas.authn.attributeRepository.ldap[0].baseDn=ou=people,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[0].subtreeSearch=true
cas.authn.attributeRepository.ldap[0].searchFilter=uid={user}
cas.authn.attributeRepository.ldap[0]..bindDn=cn=Auth
Manager,ou=administrators,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[0].bindCredential=
Ray
On Fri, 2020-11-27 at 00:17 -0800, Marcel Fromkorth wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello,
well, maybe you didnt get me right. I want to resolve the attributes on
authentication over ldap. This works fine for a normal authentication, but if
I want to make an surrogate authentication like "surrogateUser+primaryUser",
the primary user principal has all ldap attributes and the surrogate user
principal has none. So I want that the surrogate user principal has also the
ldap attributes form the surrogate user. So there is only one data source(LDAP
for primary and surrogate user). For this I found:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution
but i tried something around with this configuration options. No success so
far.
So the ldap attributes shouldnt get into the principal after the
authentication. They should be while authentication. I think that i need to
configure the principal resolution right.. but i dont know how. On the site i
found this subtext: "Principal resolution and Person Directory settings for
this feature are available
here<https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#person-directory-principal-resolution>
under the configuration key cas.authn.surrogate.principal." which redirects
you to the link above.
Ray Bon schrieb am Donnerstag, 26. November 2020 um 18:00:28 UTC+1:
Marcel,
principalAttributeList is for resolving attributes on authentication. If you
want to retrieve attributes after the fact or perhaps from a different data
source,
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-attributes
Ray
On Thu, 2020-11-26 at 07:06 -0800, Marcel Fromkorth wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello,
I'm trying to configure the surrogate authentication support over ldap
authentication.
All this happens on CAS Version 6.2.5.
The problem is, that the surrogate user principal has no attributes, which
should be mapped from ldap. I want, that the surrogateUser principal will get
his ldap attributes. For the primary user it works fine.
I only got: Surrogate access is denied. The principal does not have the
required attributes [{attributes=[testAttribute]}] -> which are defined in the
service at "surrogateRequiredAttributes".
In the Debug logs i could see this:
<Found surrogate principal [SimplePrincipal(id=testuser, attributes={})]>
Some logs earlier i can see, that the ldap user for surrogate is found
sucessfully and all needed attributes exists. -> so i think, that something
with the principal resolution doesnt work.
here an snippet of my cas.properties:
cas.authn.surrogate.ldap.searchFilter=uid:caseExactMatch:={user}
cas.authn.surrogate.ldap.surrogateSearchFilter=uid:caseExactMatch:={surrogate}
cas.authn.surrogate.principal.attribute-resolution-enabled=true
cas.authn.surrogate.principal.principal-attribute=attributes
I switched the accessStrategy in my services to
SurrogateRegisteredServiceAccessStrategy.
So.. i dont know, why the attributes of the surrogate user wont mapped into the
surrogate user principal. For the primary user it works fine(by the primary
user I used cas.authn.ldap[0].principalAttributeList=attributes --> works
fine).
But in the documentation, it seems that there only exists the attribute
"principal-attribute" for this type of setting.
Can someone help me here?
Greetings and thank you.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/19c3b403f361da6b07d523a16668a378a9844a0b.camel%40uvic.ca.
