I feel like I've searched high and low for what should be a simple configuration: and come up empty.
I'm completely new to Shibboleth, although I've worked with CAS a little bit, nothing too intense. I have it set up (following the guide at: https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration) so that Shibboleth redirects to CAS for authentication. This works fine, and once the user is authenticated, they get redirected through Shibboleth, and the SAML response gets sent out. I'm testing using https://sp.testshib.org and it's properly receiving the response and displaying the page.
What I can't seem to figure out is how to release just a simple attribute with the username used to log into CAS. I know Shibboleth sees it (from the idp-process.log), but I can't figure out what to put in the attribute-resolver.xml and attribute-filter.xml to release this.
The current SAML response looks like this:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_da56752846e00c2693ece2c486d7c870" IssueInstant="2012-11-16T14:08:07.570Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://<idpurl>/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_da56752846e00c2693ece2c486d7c870">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>7OHKEiEQ0ZcPDcnt4B8PIGoLEfw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>S3FZI+KpNf8wUYWMA96ccAj0Y5ebojB1xKHlixHWNEr4voqHOGSpBzxdui0IVtUwLEzj4RrDFdYarJaZj6ltzFV4hfNx5bN88zYQG6w9BBP9UybG+81Wrhii2O31AmRz2Y6XIqa72CeN2R4DKo70awn6FXIPLAcEKs+7dAG2lQ87VS3Wv126DghE/eGcMLW6+z9a3MxXtUFSmWYosaIbNREJn4mGO/uGzD27eeo6SNmvBx/BgVh7T2cOIbtD8b9OOZT8Urt0kZ2nsoCZHgp1T0V6ZgnE2TDvPTInrxzC5c4S+YOYZlB0ijMI6pk+PpJGshe7MVUcEO34Nn0I3i0OUw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate><!--Valid Certificate--></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://<idpurl>/idp/shibboleth" SPNameQualifier="https://sp.testshib.org/shibboleth-sp">_4b1a2780b2ce3db36ea7e7f6192b7108</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="<valid ip address>" InResponseTo="_aa4e23dd783eddb1be18ad224c26e7cf" NotOnOrAfter="2012-11-16T14:13:07.570Z" Recipient="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2012-11-16T14:08:07.570Z" NotOnOrAfter="2012-11-16T14:13:07.570Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2012-11-16T14:08:07.554Z" SessionIndex="00568a153d3cccf9c17abf2c77a043ed8b74a74fe5e2c61000590269aa87f99a">
<saml2:SubjectLocality Address="<valid ip address>"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
I just need an example of how to get this set up. I've read all the documentation on wiki.shibboleth.net and still can't seem to get it.
Thank you so much in advance for your help, I know it's just a configuration thing, but it's making my brain feel dumb, and I haven't even tried integrating with something more intense than TestShib!
EDIT: I found this set up guide which partially helps, I was able to pass out the name as an attribute by searching against the active directory, but this isn't a proper long term solution, since CAS can check more than one user repository, and it's not necessarily the same one that this will check to get it. I just want to release ${requestContext.principalName} as an attribute.
Any better ideas? Maybe a static connector, but i'm not sure how to get it to resolve the ${requestContext.principalName}?
In the end I was able to figure it out. Posting the solution here for anyone else that ever comes across this and gets lost in the swamp of details that should be simple.
In the attribute-resolver.xml file for Shibboleth, I had to add the following resolver:
<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:principal" />
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="principal" />
</resolver:AttributeDefinition>
In the attribute-filter.xml i needed to add the following filter:
<AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY"/>
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Change your Policy Requirement Rule if you don't want to release the principal to every SP.
It's amazing that something this simple doesn't seem to be documented clearly anywhere. I looked through the shibboleth documents for way longer than this should have taken, and finally found the clue in a google groups post someone had made about wanting to change the value of PrincipalName.
I hope this helps someone else!