Manually editing the json to change it to mail worked.
Any idea why the service manager is returning the wrong attribute names?
On Monday, October 23, 2023 at 3:21:21 PM UTC-4 Dmitriy Kopylenko wrote:
> Hi.
>
> Try this:
>
> usernameAttributeProvider:
> {
> @class:
> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
> usernameAttribute: mail
> }
>
> D.
>
> On Mon, Oct 23, 2023 at 2:53 PM atilling <atil...@conncoll.edu> wrote:
>
>> Working on a SAML integration where the subject needs to be the user's
>> email address but despite the changes I've made it still releases the
>> username attribute.
>>
>> usernameAttributeProvider:
>> {
>> @class:
>> org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider
>> usernameAttribute: userPrincipalName
>> }
>> ...
>> requiredNameIdFormat:
>> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>>
>> In cas.properties we are defining the attribute
>>
>> cas.authn.attribute-repository.ldap[0].attributes.eduPersonPrincipalName=mail
>>
>> I found it odd that the service manager is giving userPrincipalName as
>> the "username attribute" and not mail as mapped.
>>
>> Looking at the attribute release in the response XML I see that the
>> subject is still the username and the mail attribute is populated.
>> <?xml
>> version="1.0"
>> encoding="UTF-8"?>
>> <saml2p:Response
>> Destination="https://sitedown.conncoll.edu/";
>> ID="_972320461405286400"
>> InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
>> IssueInstant="2023-10-23T17:39:07.378Z"
>> Version="2.0"
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>> <saml2:Issuer
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> https://casdev.conncoll.edu/idp
>> </saml2:Issuer>
>> <saml2p:Status>
>> <saml2p:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>> </saml2p:Status>
>> <saml2:Assertion
>> ID="_1333994532661421056"
>> IssueInstant="2023-10-23T17:39:07.305Z"
>> Version="2.0"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> <saml2:Issuer>https://casdev.conncoll.edu/idp</saml2:Issuer>
>> <ds:Signature
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod
>> Algorithm="
>> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
>> <ds:Reference
>> URI="#_1333994532661421056">
>> <ds:Transforms>
>> <ds:Transform
>> Algorithm="
>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <ds:Transform
>> Algorithm="
>> http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod
>> Algorithm="
>> http://www.w3.org/2001/04/xmlenc#sha256"/>
>> <ds:DigestValue>
>> gOBjXAhXqdT7adKVPNrxD43urSqJQgTtDjcj64Wa2NE=
>> </ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>>
>> <ds:SignatureValue>CIuSEDbZ97Yf8VnnA774OXFgGQ0Qw9+HcZX8SnOWWcMT+zb5CUEh3hsKkSlQYr4PeRsn1AxxwpGKdIl9HWLjeF97zPMglpguDiyACsUHNtYGbcmlCIX9WQ+lEUIbrdDwP9c8F632INvPF6ACI9DTDSbLrzA2xJT44X2z4EFAAxJJVK/5MFAyWCopZTiMHsGv6CZ7FKSSjBdYe+zacyL7ZmT1LbFfgV1HK6SL9L3ChRCS5bcQ9vui9pOJ9aiD6Hf6rcO6HZcMuQPMCqNlQilSVVverSypwXv8qFdGYuzy+qiByyc+
>> xTjYR2NpBwECtttDMsZnfFfFxu91KusihOq2OA==
>> </ds:SignatureValue>
>> <ds:KeyInfo>
>> <ds:KeyValue>
>> <ds:RSAKeyValue>
>>
>> <ds:Modulus>nsveLo/KHlchZAHX+dNks7YJSIhIK2xReT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRKVnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2Lw3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+
>> Mu8TuwfjnDA0w==
>> </ds:Modulus>
>> <ds:Exponent>AQAB</ds:Exponent>
>> </ds:RSAKeyValue>
>> </ds:KeyValue>
>> <ds11:DEREncodedKeyValue
>> xmlns:ds11="http://www.w3.org/2009/xmldsig11#
>> ">MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnsveLo/KHlchZAHX+dNks7YJSIhIK2xR
>>
>> eT1+Vp0EgUYB71DW1tpx9jdEP21PeroK1wjoptbEuoqHetvl5i8/0L/zhVPQFu5jcqQUUnCUEa26
>>
>> wJdtZcpSUzHgudSZM/EHABEMQ+xEqC0Bdty8f9d7AuckWon88+EgyEiW7PYFkc7jDzPHiMBdVyRK
>>
>> VnwMDJIz2WVz3i2q55akpfy2UNMEkJlhm+GgOOKkHKW166gkvXi93duX5hE1lmSufqpQjta2Ev2L
>>
>> w3BdPhnnCOXBym+rtNI5kl5A5B/opjm4djUY7hCYIBQfqUsykyoGDheAoW7HCYaffg4z+Mu8Tuwf
>> jnDA0wIDAQAB
>> </ds11:DEREncodedKeyValue>
>> </ds:KeyInfo>
>> </ds:Signature>
>> <saml2:Subject>
>> <saml2:NameID
>>
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>> NameQualifier="https://casdev.conncoll.edu/idp";
>> SPNameQualifier="
>> https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/
>> ">atilling
>> </saml2:NameID>
>> <saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>> <saml2:SubjectConfirmationData
>> Address="sitedown.conncoll.edu"
>>
>> InResponseTo="_07ccef8331e40d6e9c24c8a12ade2bd69884b1cbb6"
>> NotOnOrAfter="2023-10-23T17:39:07.306Z"
>> Recipient="https://sitedown.conncoll.edu/"/>
>> </saml2:SubjectConfirmation>
>> </saml2:Subject>
>> <saml2:Conditions
>> NotBefore="2023-10-23T17:39:07.348Z"
>> NotOnOrAfter="2023-10-23T17:39:07.348Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>
>> https://sitedown.conncoll.edu/wp-content/plugins/miniorange-saml-20-single-sign-on/
>> </saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>> <saml2:AuthnStatement
>> AuthnInstant="2023-10-23T17:36:35.417Z"
>> SessionIndex="_1170437499088431104"
>> SessionNotOnOrAfter="2023-10-24T17:39:07.295Z">
>> <saml2:SubjectLocality
>> Address="136.244.218.11"/>
>> <saml2:AuthnContext>
>>
>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
>> </saml2:AuthnContext>
>> </saml2:AuthnStatement>
>> <saml2:AttributeStatement>
>> <saml2:Attribute
>> FriendlyName="UserName"
>> Name="UserName"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>atilling</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="mail"
>> Name="mail"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>atil...@conncoll.edu
>> </saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="displayName"
>> Name="displayName"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>Andrew P.
>> Tillinghast</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="cn"
>> Name="cn"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>Andrew P.
>> Tillinghast</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="edupersonaffiliation"
>> Name="edupersonaffiliation"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>STAFF</saml2:AttributeValue>
>> <saml2:AttributeValue>EMPLOYEE</saml2:AttributeValue>
>> <saml2:AttributeValue>MEMBER</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="givenname"
>> Name="givenname"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>Andrew</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="departmentNumber"
>> Name="departmentNumber"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>Information Services/Enterprise
>> Systems</saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="memberof"
>> Name="memberof"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>
>> cn=EIS,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=staff,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=100000-901010-Information Services - Office of VP,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=Knowbe4,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=Knowbe4PII,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=DB_Users,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=CWUserEdit,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=AS2-083267125839-StataLocal,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=MAPS_LDAP,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=webadministrator,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=bbadm,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=Forti-Two Factor,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=Druva_InSync_Clients,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=knowbe4staff,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=meraki-tech,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=WirelessSU,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> <saml2:AttributeValue>
>> cn=CWADMIN,
>> ou=groups,
>> dc=conncoll,
>> dc=edu
>> </saml2:AttributeValue>
>> </saml2:Attribute>
>> <saml2:Attribute
>> FriendlyName="sn"
>> Name="sn"
>>
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>> <saml2:AttributeValue>Tillinghast</saml2:AttributeValue>
>> </saml2:Attribute>
>> </saml2:AttributeStatement>
>> </saml2:Assertion>
>> </saml2p:Response>
>>
>>
>> Is there something I'm missing to get userPrincipalName/mail as the
>> subject?
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/855695d8-33bf-4858-a145-344fe91601a8n%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/855695d8-33bf-4858-a145-344fe91601a8n%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a00bdef9-a905-46d8-af3d-0468003b8f86n%40apereo.org.
