Directory Person and Attributes in CAS

Rhian Resnick rresnick at fit.edu
Fri May 9 21:23:48 EDT 2008 

Sean,

We have successfully deployed attributes, using CAS 3.2.1 and using  
the directions located at http://doc-cri.univ-nancy2.fr/public/?contentId=3841 
  as a general example. (Yes it is in French)

There are only a few major steps.

First Setup CAS using the defaults and make sure your SSL is setup  
correctly. http://www.ja-sig.org/products/cas/server/ssl/index.html

Second Enable LDAP per the CAS Manual: http://www.ja-sig.org/wiki/display/CASUM/LDAP

Third Enable Services with MYSQL per the manual with a few  
modifications we found made it work better.
	a. http://www.ja-sig.org/wiki/display/CASUM/Configuring
		1) Remove 				<prop  
key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop> from  
the example, this is set in cas.properties
	b. We used this dependency for MYSQL as we are using MYSQL 5.

<dependency>
       <groupId>mysql</groupId>
       <artifactId>mysql-connector-java</artifactId>
       <version>5.1.6</version>
       <scope>runtime</scope>
</dependency>

	c. In cas.properties comment out the HSQLDialect and uncomment the  
MySQLDialect also make sure localhost is replaced with your DNS name.  
(Example: cas.example.org)
	d. Build and deploy the cas.war to make sure it works. (mvn package  
in the cas-server-webapp)
	e. Modify the mysql field in the database  
cas.RegisteredServiceImpl.allowedAttributes from tinyBlob to  
mediumBlob as to may attributes being allowed to a service can cause  
an exception and crash your CAS services list. (If this happens  
restart tomcat, it will correct the problem.)

Enable LDAP Attributes: http://www.ja-sig.org/wiki/display/CASUM/Attributes 
  and Increase the number of Attributes CAS will lookup by adding them  
to the ldapAttributesToPortalAttributes. (A subset of the attributes  
we can send into CAS and out to clients.)
		<property name="ldapAttributesToPortalAttributes">
			<map>
				<!-- Mapping beetween LDAP entry's attributes (key) and  
Principal"s (value) -->
				<entry key="gidnumber" value="gidnumber"/>
				<entry key="sn" value="sn" />
				<entry key="mail" value="mail" />
				<entry key="givenName" value="givenName" />
				<entry key="displayName" value="displayName" />
				<entry key="description" value="description" />
				<entry key="mailLocalAddress" value="mailLocalAddress" />
				<entry key="mailRoutingAddress" value="mailRoutingAddress" />
				<entry key="gecos" value="gecos" />
				<entry key="homeDirectory" value="homeDirectory" />
				<entry key="gidNumber" value="gidNumber" />
				<entry key="uidNumber" value="uidNumber" />
				<entry key="uid" value="uid" />
				<entry key="cn" value="cn" />
				<entry key="initials" value="initials" />
				<entry key="l" value="l" />
				<entry key="street" value="street" />
				<entry key="st" value="st" />
				<entry key="loginShell" value="loginShell" />

			</map>
		</property>
Finally the secret was extending the CAS 2.0 xml return. We adding the  
following after the cas user tag in cas-server-webapp/src/main/webapp/ 
WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp. (Ignore  
the first line its an example cas user tag.

<cas:user>$ 
{fn:escapeXml 
(assertion 
.chainedAuthentications 
[fn:length(assertion.chainedAuthentications)-1].principal.id)}</ 
cas:user>
<c:forEach var="auth" items="${assertion.chainedAuthentications}">
	<c:forEach var="attr" items="${auth.principal.attributes}" >
		<cas:attribute name="${fn:escapeXml(attr.key)}" value="$ 
{fn:escapeXml(attr.value)}"/>
	</c:forEach>
</c:forEach>

Once this was complete all the standard CAS 1.0 and 2.0 clients could  
authenticate to the CAS server and our slightly customized version of  
phpCAS could pull the attributes by requesting the name and value  
attributes from the attribute tag. (We just haven't had time to port  
the attributes to the other clients, most importantly .NET.)

If you want a copy of the extended phpCAS let me know and I will send  
you the updated CAS.php and client.php files.

Hope this helps all the people trying get Attribute passing working  
over CAS 2.0.

Also, If anyone has SAML 1.1 instructions regarding PHP and .NET we  
are very interested.

Rhian Resnick
Systems Analyst, Information Technology
Florida Institute of Technology



On May 9, 2008, at 11:59 AM, Sean R. McNamara wrote:

> Hello,
>
> I'm curious if anyone out there is using any of attribute features
> available through Directory Person being integrated with CAS?   (see:
> http://www.ja-sig.org/wiki/display/CASUM/Attributes)
>
> Have you been successful getting it to work?
>
> Thanks..
>
> ..Sean.
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080509/100f326b/attachment.html

More information about the cas mailing list