Thank you Robert, I will give that a try. Interestingly enough it works under CAS 6.x, just not 7.x.
Thank you, Matt -----Original Message----- From: "King, Robert" <r...@mun.ca<mailto:%22King,%20robert%22%20%3cr...@mun.ca%3e>> To: cas-user@apereo.org <cas-user@apereo.org<mailto:%22cas-u...@apereo.org%22%20%3ccas-u...@apereo.org%3e>> Cc: Matthew Gordon <magor...@hacc.edu<mailto:matthew%20gordon%20%3cmagor...@hacc.edu%3e>> Subject: RE: [EXTERNAL SENDER] [cas-user] Re: Embedded Script Groovy in Attribute definition Date: 02/20/2025 09:21:10 AM CAUTION: This email originated outside ofHACC. Please do not click links or open attachments unless you recognize and/or trust the sender. Forward this message tosuspici...@hacc.edu if you are unsure of the content. id:HAb2e815ff6a8d6c97CC Ah ha, you are attempting to blend the attribute definition store into a service entry. As far as I am aware, that is not possible. You either have to do an attribute definition store and use the inline groovy script in the service entry to set the value, OR you have to use the service entry attributeNameFormats, attributeFriendlyNames and attributeValueTypes directives to get a similar effect. I’ve included both examples. Attribute definition store + service entry Add the following to your cas.properties configuration: cas.authn.attribute-repository.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json and add the following content to /etc/cas/config/attributes.json: { @class : java.util.TreeMap eduPersonPrimaryAffiliation : { @class : org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition key : eduPersonPrimaryAffiliation name : eduPersonPrimaryAffiliation urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.5 friendlyName : eduPersonPrimaryAffiliation scoped : false } } Then use the works.json to set the value. Service Entry Only (may work, not sure) service entry doesNotWork.json: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", “serviceId" : "http://test.com/sp/11111111";, …snip… "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ChainingAttributeReleasePolicy", "mergingPolicy" : "REPLACE", "policies" : [ "java.util.ArrayList", [ { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "eduPersonPrimaryAffiliation" : ‘’’ groovy { def roles = ['member']; for( item in attributes['memberOf'] ){ if ( (item.matches('^CN=Adjuncts(.*)') || item.matches('^CN=Faculty(.*)')) && !roles.contains('faculty')) { roles.add('faculty') } else if (item.matches('^CN=(.*)Employees,(.*)') && !roles.contains('staff')) { roles.add('staff') } else if (item.matches('^CN=(.*)Students,(.*)') && !roles.contains('students')) { roles.add('students')} }; return roles; } ‘’’ “givenName” : “giveName” “userPrincipalName” : “userPrincipalName” “displayName” : “displayName” “sn” : “sn” “cn” : “cn” “employeeID” : “employeeID” } } ] }, …snip… attributeNameFormats: { @class: java.util.LinkedHashMap "urn:oid:1.3.6.1.4.1.5923.1.1.1.5": urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified } attributeFriendlyNames: { @class: java.util.LinkedHashMap "urn:oid:1.3.6.1.4.1.5923.1.1.1.5": eduPersonPrimaryAffiliation } attributeValueTypes: { @class: java.util.LinkedHashMap " urn:oid:1.3.6.1.4.1.5923.1.1.1.5": XSString } …snip… } From: 'Matthew Gordon' via CAS Community <cas-user@apereo.org> Sent: Wednesday, February 19, 2025 4:06 PM To: CAS Community <cas-user@apereo.org> Cc: Matthew Gordon <magor...@hacc.edu> Subject: [EXTERNAL SENDER] [cas-user] Re: Embedded Script Groovy in Attribute definition I attached the full service that I started with "doesNotWork.json" and one I adjusted after getting an idea from Roberts reply that does seem to work "works.json". I have no idea why it will not run the groovy in the doesNotWork.json, but will when I do it like I did in works.json Basically when trying to run inline groovy with the "script" attribute it fails. Any ideas? Thank you all for the suggestions so far! Thank you, Matt On Tuesday, February 18, 2025 at 1:00:07 PM UTC-5 Matthew Gordon wrote: I am using this example for the JSON Attribute Definitions " Embedded Script"https://apereo.github.io/cas/7.0.x/integration/Attribute-Definitions.html It does not appear to be working, and throws an error: 2025-02-18 11:03:12,125 WARN [org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] - <Groovy-scripted attribute returned no value for [eduPersonPrincipalName]> 2025-02-18 11:03:12,132 ERROR [org.apereo.cas.util.scripting.GroovyShellScript] - <startup failed: Script1.groovy: 1: Unexpected input: '}' @ line 1, column 109. Hi', attributes['firstname']] }, canonic ^ 1 error ErrorCollector.java:failIfErrors:292 ErrorCollector.java:addFatalError:148 AstBuilder.java:collectSyntaxError:4753 AstBuilder.java:access$100:169 > 2025-02-18 11:03:12,132 WARN [org.apereo.cas.authentication.DefaultPrincipalAttributesMapper] - <Groovy-scripted attribute returned no value for [eduPersonPrincipalName]> Any idea what could be wrong? Thank you, Matt To unsubscribe: email unsubscr...@hacc.edu with sender email address and subject. This email and any files attached from HACC, Central Pennsylvania's Community College are confidential and intended solely for use by the individual or entity to whom addressed. If you have received this email in error please notify postmas...@hacc.edu This message may contain confidential information and is intended only for the individual named. If you are not the named addressee do not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c1cb7a0e7a1b1eb12204bac6d41cfb9d022d7e0.camel%40hacc.edu.
