CAS 委托认证和 AttributeReleasePolicies

CAS Delegated Authentication and AttributeReleasePolicies

我们能够使用委托身份验证将 CAS 5.2.6 与 Azure AD (Saml Idp) 集成

当客户端 webapp 部署在 Tomcat-9

上时,集成工作正常

由于 SaxParing 异常,同一客户端 WAR 在 JBoss-EAP 或 Wildfly 中失败 这是因为 Jboss 正在使用 xercesImpl 来解析 Xml,当 xml 元素是数字时会失败。

因此,标准解决方案是在 CAS 服务器端使用 AttributeResolver 配置以确保我们将属性映射到标准名称(与数字名称)

随附 SAML 响应和 CAS 客户端响应

<samlp:Response
Destination="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"
ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_337eded3-a927-4674-b78a-77259cfbf784" IssueInstant="2018-10-04T13:22:05.275Z"
    Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_337eded3-a927-4674-b78a-77259cfbf784">
                <Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>...</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>...</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
            NotOnOrAfter="2018-10-04T13:27:05.275Z"
            Recipient="https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/></SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2018-10-04T13:17:05.275Z" NotOnOrAfter="2018-10-04T14:17:05.275Z">
        <AudienceRestriction>
            <Audience>spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695</Audience>
        </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
            <AttributeValue>522b3803-a001-4675-b3b5-1d727d43585a</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
            <AttributeValue>8fa1e8a3-41b8-440e-91cf-fafa246ab571</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
            <AttributeValue>xxxxx@AAAA.onmicrosoft.com</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
            <AttributeValue>Firstname Lastname</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
            <AttributeValue>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</AttributeValue>
        </Attribute>
        <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
            <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
            <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
        </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2018-10-04T09:50:06.611Z"
        SessionIndex="_337eded3-a927-4674-b78a-77259cfbf784">
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
</Assertion>

CAS 客户端响应

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
    <cas:user>nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88</cas:user>
    <cas:attributes>
        <cas:isFromNewLogin>true</cas:isFromNewLogin>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>8fa1e8a3-41b8-440e-91cf-fafa246ab571</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6f626a6563746964656e746966696572>
        <cas:authenticationDate>2018-10-04T13:22:05.643Z[Etc/UTC]</cas:authenticationDate>
        <cas:clientName>MY_SAML</cas:clientName>
        <cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>Firstname Lastname</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f646973706c61796e616d65>
        <cas:notBefore>2018-10-04T13:17:05.275Z</cas:notBefore>
        <cas:credentialType>ClientCredential</cas:credentialType>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>http://schemas.microsoft.com/claims/multipleauthn</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f636c61696d732f617574686e6d6574686f64737265666572656e636573>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>522b3803-a001-4675-b3b5-1d727d43585a</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f74656e616e746964>
        <cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>myuserID@MYDOMAIN.onmicrosoft.com</cas:687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65>
        <cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
        <cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/</cas:687474703a2f2f736368656d61732e6d6963726f736f66742e636f6d2f6964656e746974792f636c61696d732f6964656e7469747970726f7669646572>
        <cas:notOnOrAfter>2018-10-04T14:17:05.275Z</cas:notOnOrAfter>
        <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
        <cas:sessionindex>_337eded3-a927-4674-b78a-77259cfbf784</cas:sessionindex>
        </cas:attributes>
</cas:authenticationSuccess>

因此,我们需要通过 AttributeResolver

将此属性 - 687474703a2f2f736368656d61732e786d6c736f61702e6f72672f77732f323030352f30352f6964656e746974792f636c61696d732f6e616d65 映射到标准属性名称

我们已经尝试了以下配置,但没有成功

"attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "name" : "username",
      "displayname" : "userdisplayname",
      "someattrname" : "groovy { return attributes['name']}"
    }
   }

那么,有人能够通过 AttributeReleasePolicies 映射 attributeNames 吗? 任何与此配置相关的帮助都会非常有用

此问题已解决。我们必须给出属性的完整路径,而不仅仅是名称的一部分

  {
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*"
  "name" : "SOME-NAME",
  "id" : 200,
  "description" : "This configuration is for app",
  "evaluationOrder" : 10000
  "logoutType" : "BACK_CHANNEL",
  "logoutUrl" : "https://login.microsoftonline.com/522b3803-a001-4675-b3b5-1d727d43585a/saml2"
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "userid" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']}"
      "displayname" : "groovy { return attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname']}"
    }
   }
}

因此,post 此配置更改,现在 SAML 响应返回有意义的名称

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>Elsbhy4pa-ZLcZ7OWNZ-0vKWjqzV4F7UfVYjRJTCjDY</cas:user>
        <cas:attributes>
            <cas:credentialType>ClientCredential</cas:credentialType>
            <cas:isFromNewLogin>false</cas:isFromNewLogin>
            <cas:authenticationDate>2018-10-05T09:20:07.216Z[Etc/UTC]</cas:authenticationDate>
            <cas:authenticationMethod>ClientAuthenticationHandler</cas:authenticationMethod>
            <cas:clientName>SOME_CLIENT</cas:clientName>
            <cas:displayname>FirstName Lastname</cas:displayname>
            <cas:successfulAuthenticationHandlers>ClientAuthenticationHandler</cas:successfulAuthenticationHandlers>
            <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
            <cas:userid>myusername@MYDOMAIN.onmicrosoft.com</cas:userid>
            </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>