CAS username / nameidentifier attribute remapping does not appear to work.

Description fields

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

Relaying Party configuration excerpt:

<!-- The following are CAS services that need to release the NUID instead of the default UID for the username returned to services -->
        <bean id="shibboleth.regexRelyingParty" parent="RelyingParty" >
            <property name="activationCondition" >
                <bean class="net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate" >
                    <constructor-arg name="pred" >
                        <bean class="com.google.common.base.Predicates" factory-method="or" >
                            <constructor-arg>
                                <util:list>
                                    <bean class="com.google.common.base.Predicates" factory-method="containsPattern" c:_0="https://bnrxe.*\.neu\.edu\/.*" />
                                    <bean class="com.google.common.base.Predicates" factory-method="containsPattern" c:_0="https://devweb.*i\/wasapp\/myneuapi\/.*" />
                                </util:list>
                            </constructor-arg>
                        </bean>
                    </constructor-arg>
                </bean>
            </property>
            <property name="profileConfigurations">
                <list>
                    <ref bean="CAS.LoginConfiguration" />
                    <ref bean="CAS.ProxyConfiguration" />
                    <bean parent="CAS.ValidateConfiguration" p:userAttribute="neuEduNUID" />
                </list>
            </property>
        </bean>

CAS configuration:

<bean id="reloadableServiceRegistry"
          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
        <property name="definitions">
            <list>
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://bnrxe.*\.neu\.edu(:\d+)?/.*"
                      p:group="banner-services"
                      p:authorizedToProxy="false"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://nubanner\.(northeastern|neu)\.edu(:\d+)?/.*"
                      p:group="banner-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://devweb\.neu\.edu(:\d+)?/wasapp/.*"
                      p:group="was-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
            </list>
        </property>
    </bean>

Attribute filter policy:

<AttributeFilterPolicy id="BANNER" >
      <PolicyRequirementRule xsi:type="OR">
              <Rule xsi:type="RequesterRegex" regex="https://bnrxe.*\.neu\.edu(:\d+)?/.*"/>
              <Rule xsi:type="RequesterRegex" regex="https://nubanner\.(northeastern|neu)\.edu(:\d+)?/.*"/>
      </PolicyRequirementRule>
      <AttributeRule attributeID="UDC_IDENTIFIER">
         <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="neuEduNUID">
         <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
</AttributeFilterPolicy>

<AttributeFilterPolicy>
  <PolicyRequirementRule xsi:type="OR">
     <Rule xsi:type="RequesterRegex" regex="https://devweb.*\.neu\.edu(:\d+)?/wasapp/.*"/>
     <Rule xsi:type="Requester" value="https://devweb.neu.edu/wasapp" />
  </PolicyRequirementRule>
     <AttributeRule attributeID="neuEduNUID">
        <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
     <AttributeRule attributeID="uid">
        <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
     <AttributeRule attributeID="isMemberOf">
       <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
     <AttributeRule attributeID="entrydn">
       <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
</AttributeFilterPolicy>

The following excerpt from a log file illustrates a test of this configuration resulting in the CAS username not being set to the new value despite the logs indicating it would be. A network trace of the backend channel between the CAS/IDP server and the service endpoint verifies the payload in the debug log is the same payload sent.

2018-04-18 13:33:29,323 - DEBUG [net.shibboleth.idp.cas.flow.impl.UpdateIdPSessionWithSPSessionAction:104] - Created SP session CASSPSession: https://bnrxedevh.neu.edu/applicationNavigator/j_spring_cas_security_check via ST-1524072809049-dkB9QxUc0p16R6jUE8FTmqW3D
2018-04-18 13:33:29,323 - DEBUG [net.shibboleth.idp.session.impl.StorageBackedIdPSession:433] - Ignoring SPSession add, session manager is not configured to track them
2018-04-18 13:33:29,324 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:88] - Using neuEduNUID for CAS username
2018-04-18 13:33:29,324 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:107] - Processing IdPAttribute{id=commonName, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAttributeEncoder@355ef6be, net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder
@d1644fc9], values=[StringAttributeValue{value=David Mak}]}
2018-04-18 13:33:29,324 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:107] - Processing IdPAttribute{id=eduPersonScopedAffiliation, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@23ac74, net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAt
tributeEncoder@bab64ea8], values=[StringAttributeValue{value=staff@neu.edu}, StringAttributeValue{value=member@neu.edu}]}
2018-04-18 13:33:29,324 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:107] - Processing IdPAttribute{id=UDC_IDENTIFIER, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@8c4162f2, net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAttributeEnc
oder@27b56b59], values=[StringAttributeValue{value=EEE3939EB1DA663B727990E33CDE7F1A}]}
2018-04-18 13:33:29,325 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:107] - Processing IdPAttribute{id=neuEduNUID, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML1StringAttributeEncoder@44856ed, net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder@
fb415ce], values=[StringAttributeValue{value=000998514}]}
2018-04-18 13:33:29,325 - DEBUG [net.shibboleth.idp.cas.flow.impl.PrepareTicketValidationResponseAction:107] - Processing IdPAttribute{id=eduPersonPrincipalName, displayNames={}, displayDescriptions={}, encoders=[net.shibboleth.idp.saml.attribute.encoding.impl.SAML2ScopedStringAttributeEncoder@23a131, net.shibboleth.idp.saml.attribute.encoding.impl.SAML1Scoped
StringAttributeEncoder@5625d981], values=[ScopedStringAttributeValue{value=000998514, scope=neu.edu}]}
2018-04-18 13:33:29,325 - INFO [Shibboleth-Audit.SSO:275] - 20180418T173329Z|||https://bnrxedevh.neu.edu/applicationNavigator/j_spring_cas_security_check|https://www.apereo.org/cas/protocol/serviceValidate||||m8k8tt8ck||commonName,eduPersonScopedAffiliation,UDC_IDENTIFIER,neuEduNUID,eduPersonPrincipalName|m8k8tt8ck|ST-1524072809049-dkB9QxUc0p16R6jUE8FTmqW3D|
2018-04-18 13:33:29,325 - DEBUG [net.shibboleth.idp.cas.flow.impl.BuildSamlValidationSuccessMessageAction:113] - Building SAML response for https://bnrxedevh.neu.edu/applicationNavigator/j_spring_cas_security_check in IdP session a5bd67567b7df1c2e1bffca9de2ab9bc0ad6273e379d8e844cdcee1a0d365b60
2018-04-18 13:33:29,326 - DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100] - Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding
2018-04-18 13:33:29,327 - DEBUG [PROTOCOL_MESSAGE:70] - 
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
        <saml1p:Response IssueInstant="2018-04-18T17:33:29.326Z"
            MajorVersion="1" MinorVersion="1"
            ResponseID="ST-1524072809049-dkB9QxUc0p16R6jUE8FTmqW3D" xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">
            <saml1p:Status>
                <saml1p:StatusCode Value="saml1p:Success"/>
            </saml1p:Status>
            <saml1:Assertion
                AssertionID="_2b06cf6ad4e7346a51224b4a712d5d9a"
                IssueInstant="2018-04-18T17:33:29.325Z"
                Issuer="https://neuidmssodev.neu.edu/idp/shibboleth"
                MajorVersion="1" MinorVersion="1" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion">
                <saml1:Conditions NotBefore="2018-04-18T17:33:29.325Z" NotOnOrAfter="2018-04-18T17:34:29.325Z">
                    <saml1:AudienceRestrictionCondition>
                        <saml1:Audience>https://bnrxedevh.neu.edu/applicationNavigator/j_spring_cas_security_check</saml1:Audience>
                    </saml1:AudienceRestrictionCondition>
                </saml1:Conditions>
                <saml1:AuthenticationStatement
                    AuthenticationInstant="2018-04-18T17:33:29.325Z" AuthenticationMethod="authn/MFA">
                    <saml1:Subject>
                        <saml1:NameIdentifier>m8k8tt8ck</saml1:NameIdentifier>
                        <saml1:SubjectConfirmation>
                            <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
                        </saml1:SubjectConfirmation>
                    </saml1:Subject>
                </saml1:AuthenticationStatement>
                <saml1:AttributeStatement>
                    <saml1:Subject>
                        <saml1:NameIdentifier>m8k8tt8ck</saml1:NameIdentifier>
                        <saml1:SubjectConfirmation>
                            <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
                        </saml1:SubjectConfirmation>
                    </saml1:Subject>
                    <saml1:Attribute AttributeName="commonName" AttributeNamespace="http://www.ja-sig.org/products/cas/">
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">David Mak</saml1:AttributeValue>
                    </saml1:Attribute>
                    <saml1:Attribute
                        AttributeName="eduPersonScopedAffiliation" AttributeNamespace="http://www.ja-sig.org/products/cas/">
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">staff@neu.edu</saml1:AttributeValue>
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">member@neu.edu</saml1:AttributeValue>
                    </saml1:Attribute>
                    <saml1:Attribute AttributeName="UDC_IDENTIFIER" AttributeNamespace="http://www.ja-sig.org/products/cas/">
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">EEE3939EB1DA663B727990E33CDE7F1A</saml1:AttributeValue>
                    </saml1:Attribute>
                    <saml1:Attribute AttributeName="neuEduNUID" AttributeNamespace="http://www.ja-sig.org/products/cas/">
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">000998514</saml1:AttributeValue>
                    </saml1:Attribute>
                    <saml1:Attribute
                        AttributeName="eduPersonPrincipalName" AttributeNamespace="http://www.ja-sig.org/products/cas/">
                        <saml1:AttributeValue
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">000998514</saml1:AttributeValue>
                    </saml1:Attribute>
                </saml1:AttributeStatement>
            </saml1:Assertion>
        </saml1p:Response>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Environment

For CAS services/end-points configured to override the default CAS username/principal with the value from another available / exposed attribute, using a relaying-party configuration, we are seeing no change in behavior in the response from the IDP/CAS to the relaying party/SP. The backchannel reponse includes a SAML1 payload with the nameidentifier value consisting of the default principal, instead of the specified alternate username attribute.

Linked work items