已设置apereo CAS的最新版本5.3.0。希望它在saml响应中返回用户名作为UID属性。已对CAS.properties和serviceregistry.json文件进行了适当的更改。但CAS不知何故只返回默认属性(UsernamePasswordCredential,samlAuthenticationStatementAuthMethod,isFromNewLogin,authenticationDate,authenticationMethod,successfulAuthenticationHandlers,longTermAuthenticationRequestTokenUsed)。请注意,这只是一个POC设置,因此没有配置或ldap等。 CAS系统上只有一个用户,当他(uone@email.cuhybrid.com)发出saml请求时,身份验证后的saml响应应该只是将用户名(uone)作为属性(uid)的一部分发回响应。
CAS.properties
cs.server.name: https://sso.idp.cuhybrid.com:8443
cas.server.prefix: https://sso.idp.cuhybrid.com:8443/cas
cas.adminPagesSecurity.ip=127\.0\.0\.1
logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location: classpath:/services
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services
cas.authn.samlIdp.entityId=https://sso.idp.cuhybrid.com:443/cas/idp
cas.authn.samlIdp.scope=idp.cuhybrid.com
cas.authn.file.separator=::
cas.authn.file.filename=file:/etc/cas/config/password.txt
cas.authn.file.passwordEncoder.type=NONE
#release attributes
#cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.attributes.uid=uid
#cas.authn.samlIdp.principalAttributeId=uid
#cas.authn.ldap[0].principalAttributeId=uid
cas.authn.samlIdp.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.samlIdp.attributeRepository.defaultAttributesToRelease=uid
cas.authn.samlIdp.attributeRepository.attributes.id=uid
cas.authn.attributeRepository.json.config.location=file:/etc/cas/config/attribute-repository.json
#cas.authn.attributeRepository.defaultAttributesToRelease=uid
cas.authn.attributeRepository.samlIdp[0].id=uid
cas.authn.attributeRepository.samlIdp[0].attributes.id=uid
password.txt
uone@email.cuhybrid.com::T1swo123=
属性repository.json 此文件仅用于测试目的。以后没有真正使用它。宁愿将传入的用户请求转换为用户名并在saml响应中将其发回。例如:将uone@email.com翻译为uid:uone。
{
"uone": {
"firstName":["fname"],
"lastName":["lname"]
}
}
/etc/cas/services/service.json
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId" : "https://broker.wbx.com.*",
"name" : "Broker",
"id" : 20000001,
"evaluationOrder" : 10,
"metadataLocation" : "https://sso.idp.cuhybrid.com:8443/idb-meta-test-org1.xml",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "uid" ] ]
}
}
SAML响应(缺少属性列表中的预期UID): 在saml响应中,我希望在上面的配置之后,名称为uid的属性列表中存在username(uone)。但不知何故,属性列表都是默认值。
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"
ID="_7652370489182156752" InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
IssueInstant="2018-06-14T10:49:11.334Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_7652370489182156752">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QVZFqX3IZhmlpVXtl6r4d8k9d8SC5jkX/Q+1a39gsS8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EaAo6LKZYJn8b2Nm7M1QhfUyCtMYR2wqFm4+HdABhJT/3TDVlrsrhgz8fCRHM+zAFDQrsAXLokzEyj0q+riKsy3aOWVPIFhaOpctJuCS6/MvLBW/a2ZKU9rKNgawrVNWNOu6pAm0IgBQYd5SJnNyCEZnOQWk+H2f9YuqjWOlFw4HicNVisp9bZnXQJPQ9HMKSntgazLtJktuWhjdYMwjEpMckV0Smr/2A2A4tnmyXhBSu7DOm2k8OnqAdFyYydsDDyY0GyzV1PD/NXdXE65ZjbSner4NESV10GzKEUp+PoAFhd3zY9jGBc435BzD01L43anDZbEJ/pdTsogqVjSuQQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIWOjCCAiKgAwIBAgIVAIWJG4KZJNKnPfAtwXfzO5ZasZXKMA0GCSqGSIb3DQEBCwUAMCExHzAd
BgNVBAMMFnNzby5pZHAuY2FyZWh5YnJpZC5jb20wHhcNMTgwNjEyMDUxODI0WhcNMzgwNjEyMDUx
ODI0WjAhMR8wHQYDVQQDDBZzc28uaWRwLmNhcmVoeWJyaWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAkubHPbfub/uSD2ZCt9gxw7nUHNPKLotVlORJ48XEjXAY5ygaet4p+94S
gX8qafDETqay3ynVX/kZiVutg85xsR9nhTd/PSL9/CMR02U9qVpQP+EnMsttmc4u+GR/lvyPIi4C
bYS9piV89axFF3oYNy8B4phNmymCONEvT3XpuWIpA2LPRAYo/8rcPgpOABSRPex/Z1+OIcbw+Lwb
0cAuOxkSlc/X8X8Da3CiHemFxrswFkXCLEZOdd/a2CesuyJguFoFbcGW3ko4tSVgGWflt8vsn7wE
nMk4Un10dupDDWEzWx+bw0ELilyuqEDMOURQInWWI4PuuCdTqUld1pCzqwIDAQABo2kwZzAdBgNV
HQ4EFgQUiOTpeFxxMd+/pOaEhYmt59xmiQEwRgYDVR0RBD8wPYIWc3NvLmlkcC5jYXJlaHlicmlk
LmNvbYYjc3NvLmlkcC5jYXJlaHlicmlkLmNvbS9pZHAvbWV0YWRhdGEwDQYJKoZIhvcNAQELBQAD
ggEBAB2DYvASBcmG69GwPEX1HM4RsHsjcc+dMe3M3CcKcfyIDxy3dkA1M3JhqUP1sgXqJli0gFHp
NCF7fbikP4f0+O3z7L8cASZFu+gdL5Gre2umhRzPCL0v2q+dIbDEZ3h/Y841Tu8xO8xFCUTUO7Bi
nbg8KrKbWJX4FTrlPG/I0DncNF0wiKzYaJTevRmbRk1HUV+kCD8oN3RgpfDofVb8QQfpueVDaXuZ
oTRi7376ebOJk3UugAsgp255jTRojVrsuU6+w9YajAObArniSm2z5t3D8+47CTP0QSYd8SS+nCy6
uBBJhh4EfylDw4pobsZSHA23ZqwuySy49ZV37adNOLY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="_9139863724074917757" IssueInstant="2018-06-14T10:49:11.326Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://sso.idp.cuhybrid.com:443/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4"
SPNameQualifier="https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4">nm8GLI16mgBl2pJWfWI+zbKBpTg=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="s2fe0472a8afe2e85be4255a7b4f4dd1533da13ec6"
NotOnOrAfter="2018-06-14T10:49:16.029Z"
Recipient="https://broker.wbx.com/idb/Consumer/metaAlias/7008c104-1703-4314-ac75-ce7bbdb7c6f4/sp"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-06-14T10:49:11.333Z" NotOnOrAfter="2018-06-14T10:49:16.333Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-06-14T10:49:11.029Z" SessionIndex="_8331287344390871950"><saml2:SubjectLocality Address="64.68.99.6"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="credentialType" Name="credentialType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>UsernamePasswordCredential</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod"
Name="samlAuthenticationStatementAuthMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>2018-06-14T10:49:10.650Z[Etc/UTC]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers"
Name="successfulAuthenticationHandlers" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>FileAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed"
Name="longTermAuthenticationRequestTokenUsed"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>false</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
预期的SAML响应属性 属性的预期方式如下,用户名(uone)作为值。
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uone</saml:AttributeValue>
</saml:Attribute>
cas.log
2018-06-14 10:22:11,638 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes [{}] for [uone@email.cuhybrid.com]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy [ReturnMappedAttributeReleasePolicy] to process attributes for [castestorg1agent1@mailinator.com]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Attempting to map allowed attribute name [uid]>
2018-06-14 10:22:11,639 DEBUG [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Mapping attribute [uid] to [uid] with value [null]>
2018-06-14 10:22:11,640 WARN [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <Could not find value for mapped attribute [uid] that is based off of [uid] in the allowed attributes list. Ensure the original attribute [uid] is retrieved and contains at least a single value. Attribute [uid] will and can not be released without the presence of a value.>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy [ReturnMappedAttributeReleasePolicy] allows release of [{}] for [uone@email.cuhybrid.com]>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2018-06-14 10:22:11,640 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2018-06-14 10:22:11,641 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2018-06-14 10:22:11,641 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [[uid]]>
2018-06-14 10:22:11,642 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are [{}]>
2018-06-14 10:22:11,645 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Finalizing attributes release phase for principal [castestorg1agent1@mailinator.com] accessing service [https://broker.wbx.com/7008c104-1703-4314-ac75-ce7bbdb7c6f4] defined by registered service [https://broker.wbx.com.*]...>
2018-06-14 10:22:11,646 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{}]>