无法使用 SAML 1.1 从 JASIG CAS 3.5 传递属性
Unable to deliver attributes from JASIG CAS 3.5 using SAML 1.1
我正在尝试配置 JASIG CAS 3.5 服务器以通过 SAML 1.1 发布属性,如 here 所述。不幸的是,我做的任何事情似乎都无法将它们发布到我的测试应用程序中。
CAS 服务器配置
我开始使用默认配置 (DeployerConfigContext.xml) 中出现的 StubPersonAttributeDao。我后来尝试设置 JDBC 版本并没有产生任何更好的结果。
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
我确保我的测试应用程序已获得使用 CAS 的授权,并且允许它使用这些属性。
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- MIS Developers -->
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="6" />
<property name="name" value="Grails run-app" />
<property name="description" value="JCC Developers can use this from any PC within the jccadmin domain." />
<property name="serviceId" value="http://.*.my.domain:8080/.*" />
<property name="evaluationOrder" value="6" />
<property name="allowedAttributes">
<list>
<value>uid</value>
<value>eduPersonAffiliation</value>
<value>groupMembership</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
当您在 CAS 服务应用程序中查看属性时,它们会突出显示。
测试
为了了解我的属性是否真的有效,我在 JASIG 网站上创建了一个 CAS testing application by using Gradle and the Jetty plugin to give flesh to the sample code。我的应用程序向服务器进行身份验证,然后发出 SAML 1.1 请求以获取属性。
我已验证它发出了正确的 SAML 请求。
https://my.test.server/cas/samlValidate?TARGET=http%3A%2F%2Fmy.local.machine%3A8080%2Fcas_tester%2F
它从我的 CAS 服务器收到以下响应。
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
IssueInstant="2017-02-01T14:40:35.328Z"
MajorVersion="1"
MinorVersion="1"
Recipient="http://my.local.machine:8080/cas_tester/"
ResponseID="_a0df351b1081dafe599829f406be79f5">
<Status>
<StatusCode Value="samlp:Success">
</StatusCode>
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_988118abbd06485ab7f1eb684639ce38"
IssueInstant="2017-02-01T14:40:35.328Z"
Issuer="localhost"
MajorVersion="1"
MinorVersion="1">
<Conditions NotBefore="2017-02-01T14:40:35.328Z"
NotOnOrAfter="2017-02-01T14:41:05.328Z">
<AudienceRestrictionCondition>
<Audience>http://my.local.machine:8080/cas_tester/</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2017-02-01T14:40:34.312Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<Subject>
<NameIdentifier>coleew01</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
</Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
无论我做什么,它都不会在响应中显示任何属性。我做错了什么?
感谢您能给我的任何帮助。
原来问题出在属性配置上。在我的 credentialsToPrincipalResolvers bean 中,没有对属性解析器的引用。
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
我将对 attributeRepository 的引用放入 UsernamePasswordCredentialsToPrincipalResolver 的 bean 中。
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository">
<ref bean="attributeRepository"/>
</property>
</bean>
然后我的属性就出来了。 谢谢!
我正在尝试配置 JASIG CAS 3.5 服务器以通过 SAML 1.1 发布属性,如 here 所述。不幸的是,我做的任何事情似乎都无法将它们发布到我的测试应用程序中。
CAS 服务器配置
我开始使用默认配置 (DeployerConfigContext.xml) 中出现的 StubPersonAttributeDao。我后来尝试设置 JDBC 版本并没有产生任何更好的结果。
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
我确保我的测试应用程序已获得使用 CAS 的授权,并且允许它使用这些属性。
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- MIS Developers -->
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="6" />
<property name="name" value="Grails run-app" />
<property name="description" value="JCC Developers can use this from any PC within the jccadmin domain." />
<property name="serviceId" value="http://.*.my.domain:8080/.*" />
<property name="evaluationOrder" value="6" />
<property name="allowedAttributes">
<list>
<value>uid</value>
<value>eduPersonAffiliation</value>
<value>groupMembership</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
当您在 CAS 服务应用程序中查看属性时,它们会突出显示。
测试
为了了解我的属性是否真的有效,我在 JASIG 网站上创建了一个 CAS testing application by using Gradle and the Jetty plugin to give flesh to the sample code。我的应用程序向服务器进行身份验证,然后发出 SAML 1.1 请求以获取属性。
我已验证它发出了正确的 SAML 请求。
https://my.test.server/cas/samlValidate?TARGET=http%3A%2F%2Fmy.local.machine%3A8080%2Fcas_tester%2F
它从我的 CAS 服务器收到以下响应。
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
IssueInstant="2017-02-01T14:40:35.328Z"
MajorVersion="1"
MinorVersion="1"
Recipient="http://my.local.machine:8080/cas_tester/"
ResponseID="_a0df351b1081dafe599829f406be79f5">
<Status>
<StatusCode Value="samlp:Success">
</StatusCode>
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_988118abbd06485ab7f1eb684639ce38"
IssueInstant="2017-02-01T14:40:35.328Z"
Issuer="localhost"
MajorVersion="1"
MinorVersion="1">
<Conditions NotBefore="2017-02-01T14:40:35.328Z"
NotOnOrAfter="2017-02-01T14:41:05.328Z">
<AudienceRestrictionCondition>
<Audience>http://my.local.machine:8080/cas_tester/</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="2017-02-01T14:40:34.312Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<Subject>
<NameIdentifier>coleew01</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
</Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
无论我做什么,它都不会在响应中显示任何属性。我做错了什么?
感谢您能给我的任何帮助。
原来问题出在属性配置上。在我的 credentialsToPrincipalResolvers bean 中,没有对属性解析器的引用。
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the
| Credentials you are using.
+-->
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
我将对 attributeRepository 的引用放入 UsernamePasswordCredentialsToPrincipalResolver 的 bean 中。
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository">
<ref bean="attributeRepository"/>
</property>
</bean>
然后我的属性就出来了。 谢谢!