Ah ha, you are attempting to blend the attribute definition store into a
service entry. As far as I am aware, that is not possible.
You either have to do an attribute definition store and use the inline groovy
script in the service entry to set the value, OR you have to use the service
entry attributeNameFormats, attributeFriendlyNames and attributeValueTypes
directives to get a similar effect. I’ve included both examples.
Attribute definition store + service entry
Add the following to your cas.properties configuration:
cas.authn.attribute-repository.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json
and add the following content to /etc/cas/config/attributes.json:
{
@class : java.util.TreeMap
eduPersonPrimaryAffiliation : {
@class :
org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition
key : eduPersonPrimaryAffiliation
name : eduPersonPrimaryAffiliation
urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.5
friendlyName : eduPersonPrimaryAffiliation
scoped : false
}
}
Then use the works.json to set the value.
Service Entry Only (may work, not sure)
service entry doesNotWork.json:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
“serviceId" : "http://test.com/sp/11111111";,
…snip…
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ChainingAttributeReleasePolicy",
"mergingPolicy" : "REPLACE",
"policies" : [ "java.util.ArrayList",
[
{
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"eduPersonPrimaryAffiliation" :
‘’’
groovy {
def roles = ['member'];
for( item in attributes['memberOf'] ){
if ( (item.matches('^CN=Adjuncts(.*)') || item.matches('^CN=Faculty(.*)')) &&
!roles.contains('faculty')) {
roles.add('faculty')
} else if (item.matches('^CN=(.*)Employees,(.*)') && !roles.contains('staff')) {
roles.add('staff')
} else if (item.matches('^CN=(.*)Students,(.*)') &&
!roles.contains('students')) {
roles.add('students')}
};
return roles;
}
‘’’
“givenName” : “giveName”
“userPrincipalName” : “userPrincipalName”
“displayName” : “displayName”
“sn” : “sn”
“cn” : “cn”
“employeeID” : “employeeID”
}
}
]
},
…snip…
attributeNameFormats:
{
@class: java.util.LinkedHashMap
"urn:oid:1.3.6.1.4.1.5923.1.1.1.5":
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
}
attributeFriendlyNames:
{
@class: java.util.LinkedHashMap
"urn:oid:1.3.6.1.4.1.5923.1.1.1.5": eduPersonPrimaryAffiliation
}
attributeValueTypes:
{
@class: java.util.LinkedHashMap
" urn:oid:1.3.6.1.4.1.5923.1.1.1.5": XSString
}
…snip…
}
From: 'Matthew Gordon' via CAS Community <cas-user@apereo.org>
Sent: Wednesday, February 19, 2025 4:06 PM
To: CAS Community <cas-user@apereo.org>
Cc: Matthew Gordon <magor...@hacc.edu>
Subject: [EXTERNAL SENDER] [cas-user] Re: Embedded Script Groovy in Attribute
definition
I attached the full service that I started with "doesNotWork.json" and one I
adjusted after getting an idea from Roberts reply that does seem to work
"works.json". I have no idea why it will not run the groovy in the
doesNotWork.json, but will when I do it like I did in works.json
Basically when trying to run inline groovy with the "script" attribute it
fails. Any ideas?
Thank you all for the suggestions so far!
Thank you,
Matt
On Tuesday, February 18, 2025 at 1:00:07 PM UTC-5 Matthew Gordon wrote:
I am using this example for the JSON Attribute Definitions " Embedded Script"
https://apereo.github.io/cas/7.0.x/integration/Attribute-Definitions.html
It does not appear to be working, and throws an error:
2025-02-18 11:03:12,125 WARN
[org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] -
<Groovy-scripted attribute returned no value for [eduPersonPrincipalName]>
2025-02-18 11:03:12,132 ERROR [org.apereo.cas.util.scripting.GroovyShellScript]
- <startup failed:
Script1.groovy: 1: Unexpected input: '}' @ line 1, column 109.
Hi', attributes['firstname']] }, canonic
^
1 error
ErrorCollector.java:failIfErrors:292
ErrorCollector.java:addFatalError:148
AstBuilder.java:collectSyntaxError:4753
AstBuilder.java:access$100:169
>
2025-02-18 11:03:12,132 WARN
[org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] -
<Groovy-scripted attribute returned no value for [eduPersonPrincipalName]>
Any idea what could be wrong?
Thank you,
Matt
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a4bb7e3-6686-4fce-81a6-14564de0cf7fn%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a4bb7e3-6686-4fce-81a6-14564de0cf7fn%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730B52A21FD2E02252128A9B4C42%40DS7PR17MB6730.namprd17.prod.outlook.com.
