Search code examples
single-sign-onkerberossaml-2.0casapereo

Saml assertion response does not include all attributes


  • I'm working on the CAS APEREO SSO IDP 5.3.X.
  • The IDP is connected to AD, SPNEGO & KERBEROS are enabled.
  • I setup a service provider to use SAML2 protocol to authenticate users (generate metadata , configure service etc).
  • The Authentication is working fine.
  • When using incognito mode on the browser, all attributes are returned in the SAML response : email , memberOf etc.
  • In normal mode only the user id is returned. Even if in the NameId the email address is required, CAS will return the user id indicating that it could not retrieve email attribute.
  • I think it’s related to the use of Kerberos cookies to authenticate, but couldn’t find out the reason why on normal mode the attribute are not returned.
  • I used two workarounds to return all attributes : -- deactivate the SSO when declaring the service. Or -- deactivate the Kerberos using an http header.

Is there any way to get all attributes in normal mode without deactivating SSO/KERBEROS.

Thank you.


Solution

  • Just to let you informed about the resolution. It was related to the difference between ldap filters.

    cas.authn.attributeRepository.ldap[0].searchFilter=
    cas.authn.ldap[0].searchFilter=
    

    In SSO with Kerberos enabled, the attributeRepository filter was used. When Kerberos is not used, the Ldap filter is used (cas.authn.ldap[0].searchFilter).

    In addition, I should define the list of attributes to be mapped in the attribute repository :

    cas.authn.attributeRepository.ldap[0].attributes.mail= mail
    cas.authn.attributeRepository.ldap[0].attributes.cn= cn
    cas.authn.attributeRepository.ldap[0].attributes.givenName= givenName
    ...
    

    This answer and the CAS debug log level were helpful.

    It was somehow tricky because of sub scenarios (cached responses etc.). Each time I have to restart the server and clean up cookies to restart investigations..

    Hope it can help someone else. Best Regards.