Working on a SAML integration where the subject needs to be the user's
email address but despite the changes I've made it still releases the
username attribute.
usernameAttributeProvider:
{
@class:
org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
usernameAttribute: userPrincipalName
}
...
requiredNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In cas.properties we are defining the attribute
cas.authn.attribute-repository.ldap[0].attributes.eduPersonPrincipalName=mail
I found it odd that the service manager is giving userPrincipalName as the
"username attribute" and not mail as mapped.
Looking at the attribute release in the response XML I see that the subject
is still the username and the mail attribute is populated.
<?xml
version="1.0"
encoding="UTF-8"?>
<saml2p:Response
Destination="https://sitedown.conncoll.edu/";
ID="_972320461405286400"
InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
IssueInstant="2023-10-23T17:39:07.378Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://casdev.conncoll.edu/idp
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion
ID="_1333994532661421056"
IssueInstant="2023-10-23T17:39:07.305Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://casdev.conncoll.edu/idp</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference
URI="#_1333994532661421056">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
gOBjXAhXqdT7adKVPNrxD43urSqJQgTtDjcj64Wa2NE=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>CIuSEDbZ97Yf8VnnA774OXFgGQ0Qw9+HcZX8SnOWWcMT+zb5CUEh3hsKkSlQYr4PeRsn1AxxwpGKdIl9HWLjeF97zPMglpguDiyACsUHNtYGbcmlCIX9WQ+lEUIbrdDwP9c8F632INvPF6ACI9DTDSbLrzA2xJT44X2z4EFAAxJJVK/5MFAyWCopZTiMHsGv6CZ7FKSSjBdYe+zacyL7ZmT1LbFfgV1HK6SL9L3ChRCS5bcQ9vui9pOJ9aiD6Hf6rcO6HZcMuQPMCqNlQilSVVverSypwXv8qFdGYuzy+qiByyc+
xTjYR2NpBwECtttDMsZnfFfFxu91KusihOq2OA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>nsveLo/KHlchZAHX+dNks7YJSIhIK2xReT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRKVnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2Lw3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+
Mu8TuwfjnDA0w==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds11:DEREncodedKeyValue
xmlns:ds11="http://www.w3.org/2009/xmldsig11#";>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnsveLo/KHlchZAHX+dNks7YJSIhIK2xR
eT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26
wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRK
VnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2L
w3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+Mu8Tuwf
jnDA0wIDAQAB
</ds11:DEREncodedKeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://casdev.conncoll.edu/idp";
SPNameQualifier="https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/";>atilling
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Address="sitedown.conncoll.edu"
InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
NotOnOrAfter="2023-10-23T17:39:07.306Z"
Recipient="https://sitedown.conncoll.edu/"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
NotBefore="2023-10-23T17:39:07.348Z"
NotOnOrAfter="2023-10-23T17:39:07.348Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2023-10-23T17:36:35.417Z"
SessionIndex="_1170437499088431104"
SessionNotOnOrAfter="2023-10-24T17:39:07.295Z">
<saml2:SubjectLocality
Address="136.244.218.11"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute
FriendlyName="UserName"
Name="UserName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>atilling</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="mail"
Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>atill...@conncoll.edu</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="displayName"
Name="displayName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew P.
Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="cn"
Name="cn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew P.
Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="edupersonaffiliation"
Name="edupersonaffiliation"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>STAFF</saml2:AttributeValue>
<saml2:AttributeValue>EMPLOYEE</saml2:AttributeValue>
<saml2:AttributeValue>MEMBER</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="givenname"
Name="givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Andrew</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="departmentNumber"
Name="departmentNumber"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Information Services/Enterprise
Systems</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="memberof"
Name="memberof"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>
cn=EIS,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=staff,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=100000-901010-Information Services - Office of VP,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Knowbe4,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Knowbe4PII,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=DB_Users,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=CWUserEdit,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=AS2-083267125839-StataLocal,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=MAPS_LDAP,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=webadministrator,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=bbadm,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Forti-Two Factor,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=Druva_InSync_Clients,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=knowbe4staff,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=meraki-tech,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=WirelessSU,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
<saml2:AttributeValue>
cn=CWADMIN,
ou=groups,
dc=conncoll,
dc=edu
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
FriendlyName="sn"
Name="sn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Tillinghast</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Is there something I'm missing to get userPrincipalName/mail as the subject?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/855695d8-33bf-4858-a145-344fe91601a8n%40apereo.org.
