-
-
Save kevinfoote/6908427 to your computer and use it in GitHub Desktop.
| <!-- | |
| PULL and Map HeadarAttributes for use | |
| --> | |
| <bean id="currentUserProvider" | |
| class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler"/> | |
| <bean id="usernameAttributeProvider" class="org.jasig.services.persondir.support.SimpleUsernameAttributeProvider"> | |
| <property name="usernameAttribute" value="username" /> | |
| </bean> | |
| <bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter"> | |
| <property name="usernameAttribute" value="userName" /> | |
| <property name="additionalDescriptors" ref="requestAdditionalDescriptors" /> | |
| <property name="remoteUserAttribute" value="userName" /> | |
| <property name="serverNameAttribute" value="serverName" /> | |
| <property name="processingPosition" value="BOTH" /> | |
| <property name="headerAttributeMapping"> | |
| <map> | |
| <entry key="eppa" value="eduPersonPrimaryAffiliation" /> | |
| <entry key="uid" value="uid" /> | |
| <entry key="eppn" value="eduPersonPrincipalName" /> | |
| </map> | |
| </property> | |
| </bean> | |
| <bean id="requestAdditionalDescriptors" class="org.jasig.services.persondir.support.MediatingAdditionalDescriptors"> | |
| <property name="delegateDescriptors"> | |
| <list> | |
| <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="globalSession"> | |
| <aop:scoped-proxy /> | |
| </bean> | |
| <bean class="org.jasig.services.persondir.support.AdditionalDescriptors" scope="request"> | |
| <aop:scoped-proxy /> | |
| </bean> | |
| </list> | |
| </property> | |
| </bean> | |
| <bean id="requestAttributesDao" class="org.jasig.services.persondir.support.AdditionalDescriptorsPersonAttributeDao"> | |
| <property name="descriptors" ref="requestAdditionalDescriptors" /> | |
| <property name="usernameAttributeProvider" ref="usernameAttributeProvider" /> | |
| </bean> | |
| <!-- | |
| END building attributes | |
| --> | |
| <!-- | |
| The attribute list is sort of dynamic now due to the fact that you are | |
| creating the backingMap through the filter step above. It is assumed | |
| you know the data that is going through the filter and if you want it or | |
| not. | |
| --> | |
| <bean id="attributeRepository" | |
| class="org.jasig.services.persondir.support.MergingPersonAttributeDaoImpl"> | |
| <property name="usernameAttributeProvider" ref="usernameAttributeProvider" /> | |
| <property name="personAttributeDaos"> | |
| <list> | |
| <ref bean="requestAttributesDao" /> | |
| <!--ref bean="mergedPersonAttributeDao" /--> | |
| </list> | |
| </property> | |
| </bean> |
OK ... ALL ...
I'm very sorry for the long delay .. (switched jobs and moved my family across the US) wow..
So I did leave out a very important detail that @willfi pointed out on the previous post. You need to add a filter to the web.xml file to make the header attributes present in the request scope.
Here is my block from the web.xml file
<filter>
<filter-name>requestAttributeSourceFilter</filter-name>
<filter-name>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
...then
<filter-mapping>
<filter-name>requestAttributeSourceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So with those in place the attribute DAO should be able to see and extract the attributes delivered from shib.
Again apologies.. I'll update the shib wiki page also
- Kevin
HI, everyone. I have a problem with basic understanding in configuration and communication between CAS and Shibboleth service provider. I've made all changes mentioned above (trusted handler configuration) and also configured Apache to interact with CAS as described in this guide (https://wiki.shibboleth.net/confluence/display/SHIB2/Shibbolize+a+CAS+server#ShibbolizeaCASserver-ApacheLocations). I see that people above was able setup this configuration and make it working. But I don't understand how basically interaction between CAS and Shibboleth SP performed. My IdP and SP interacting between each other. But I don't see any attempts from the Shibboleth SP send headers with attributes to CAS. I suspect that I am missing something in apache/SP configs, but I am out of idea what that can be. Here is example of the apache config:
UseCanonicalName On
#ProxyPassReverse / ajp://localhost:28009/ retry=5
ProxyPass / ajp://localhost:28009/ retry=5
<Location ~ "^/cas/login">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
</Location>
<Location ~ "^/cas/serviceValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/samlValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/proxy">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
<Location ~ "^/cas/proxyValidate">
AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth
</Location>
I am not sure about proxy pass needed or not. I've tried with and without. Also I can't find following values to replace in my /WEB-INF/login-webflow.xml:
And 3 existing transitions need to be update:
In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
In the decision-state renewRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
In the action-state generateServiceTicket, replace reference to viewLoginForm by remoteAuthenticate
I have only:
<decision-state id="gatewayRequestCheck">
<if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="serviceAuthorizationCheck" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="requestParameters.renew != '' and requestParameters.renew != null" then="serviceAuthorizationCheck" else="generateServiceTicket" />
</decision-state>
<action-state id="generateServiceTicket">
<evaluate expression="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="generateLoginTicket" />
<transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>
This is default CAS deployment configuration.
Abt environment: I have configured Shibbilth IdP(under Tomcat7) and SP(proxied by Apache2.2), CAS(under Tomcat7)
I will appreciate any help and advises.
I got this (mostly) working on my test site, but just as a note, I also added the following to cas-server-webapp/src/main/webapp/WEB-INF/web.xml
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
Mentioning it because I haven't seen it in the threads above and it was key to getting this working.
Hi,
Suppose, I want to include password field in request attributeMap object. Could you please help me?
Thanks
Srinivas
Hi,
Do you also have some kind of filter (or listener) configuration in web.xml?
I tried the one mentioned on https://wiki.jasig.org/display/PDM15/Request+Header+Attribute+Source.
As a result I can see this line in cas.log:
..but the login page shows a horrible stacktrace...
I would appreciate any ideas (having same version as 'sabordeaux')