Directory Person and Attributes in CAS
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Directory Person and Attributes in CAS
by Sean R. McNamara
::
Rate this Message:
Hello,
I'm curious if anyone out there is using any of attribute features available through Directory Person being integrated with CAS? (see: http://www.ja-sig.org/wiki/display/CASUM/Attributes) Have you been successful getting it to work? Thanks.. ..Sean. _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas |
|
|
Re: Directory Person and Attributes in CAS
by Rhian Brad Resnick
::
Rate this Message:
Sean, We have successfully deployed attributes, using CAS 3.2.1 and using the directions located at http://doc-cri.univ-nancy2.fr/public/?contentId=3841 as a general example. (Yes it is in French) There are only a few major steps. First Setup CAS using the defaults and make sure your SSL is setup correctly. http://www.ja-sig.org/products/cas/server/ssl/index.html Second Enable LDAP per the CAS Manual: http://www.ja-sig.org/wiki/display/CASUM/LDAP Third Enable Services with MYSQL per the manual with a few modifications we found made it work better. 1) Remove <prop key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop> from the example, this is set in cas.properties b. We used this dependency for MYSQL as we are using MYSQL 5. <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.6</version> <scope>runtime</scope> </dependency> c. In cas.properties comment out the HSQLDialect and uncomment the MySQLDialect also make sure localhost is replaced with your DNS name. (Example: cas.example.org) d. Build and deploy the cas.war to make sure it works. (mvn package in the cas-server-webapp) e. Modify the mysql field in the database cas.RegisteredServiceImpl.allowedAttributes from tinyBlob to mediumBlob as to may attributes being allowed to a service can cause an exception and crash your CAS services list. (If this happens restart tomcat, it will correct the problem.) Enable LDAP Attributes: http://www.ja-sig.org/wiki/display/CASUM/Attributes and Increase the number of Attributes CAS will lookup by adding them to the ldapAttributesToPortalAttributes. (A subset of the attributes we can send into CAS and out to clients.) <property name="ldapAttributesToPortalAttributes">
<map>
<!-- Mapping beetween LDAP entry's attributes (key) and Principal"s (value) -->
<entry key="gidnumber" value="gidnumber"/>
<entry key="sn" value="sn" />
<entry key="mail" value="mail" />
<entry key="givenName" value="givenName" />
<entry key="displayName" value="displayName" />
<entry key="description" value="description" />
<entry key="mailLocalAddress" value="mailLocalAddress" />
<entry key="mailRoutingAddress" value="mailRoutingAddress" />
<entry key="gecos" value="gecos" />
<entry key="homeDirectory" value="homeDirectory" />
<entry key="gidNumber" value="gidNumber" />
<entry key="uidNumber" value="uidNumber" />
<entry key="uid" value="uid" />
<entry key="cn" value="cn" />
<entry key="initials" value="initials" />
<entry key="l" value="l" />
<entry key="street" value="street" />
<entry key="st" value="st" />
<entry key="loginShell" value="loginShell" />
</map>
</property>Finally the secret was extending the CAS 2.0 xml return. We adding the following after the cas user tag in cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp. (Ignore the first line its an example cas user tag. <cas:user>${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}</cas:user> <c:forEach var="auth" items="${assertion.chainedAuthentications}"> <c:forEach var="attr" items="${auth.principal.attributes}" > <cas:attribute name="${fn:escapeXml(attr.key)}" value="${fn:escapeXml(attr.value)}"/> </c:forEach> </c:forEach> Once this was complete all the standard CAS 1.0 and 2.0 clients could authenticate to the CAS server and our slightly customized version of phpCAS could pull the attributes by requesting the name and value attributes from the attribute tag. (We just haven't had time to port the attributes to the other clients, most importantly .NET.) If you want a copy of the extended phpCAS let me know and I will send you the updated CAS.php and client.php files. Hope this helps all the people trying get Attribute passing working over CAS 2.0. Also, If anyone has SAML 1.1 instructions regarding PHP and .NET we are very interested. Rhian Resnick Systems Analyst, Information Technology Florida Institute of Technology On May 9, 2008, at 11:59 AM, Sean R. McNamara wrote: Hello, _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas |
| Free Forum Powered by Nabble | Forum Help |