Using CAS Attributes
Cantor, Scott
cantor.2 at osu.edu
Fri Aug 15 15:52:25 EDT 2014
On 8/15/14, 1:05 PM, "Sacilowski, Tadeusz" <ts2878 at tc.columbia.edu> wrote:
>
>I was wondering how to get the attributes that have already been
>retrieved by CAS over to Shib for release? I know I can just set up an
>LDAP data connector with the appropriate attribute definitions on the
>Shib side, but then we have 2 LDAP lookups for the same principal... one
>on the CAS side and one on the Shib side. I'm sure there's not too much
>of a performance hit using this method, but out of curiosity, I'd like to
>see if there's a way to avoid this.
My guess is you'll conclude it's not worth it, but...
>Some previous searches let me to the general idea of storing
>assertion.getAttributes() in the LoginHandler.SUBJECT_KEY in the
>AuthenticatedNameTranslator class.
I'm not sure I follow that, but the SUBJECT_KEY represents a Java Subject,
and you can attach custom Principal and credential objects to that. You
would need a login handler that knew how to do that, however.
> I also need to create a Data Connector to pull these attributes back
>out, but this is where
> I'm getting lost.
Well, the attribute resolver has access to the underlying Java Subject, I
think, so anything stored in it would be accessible, and a plugin could be
written to access that. Writing a data connector means writing a Java
plugin, designing an XML schema, and code to configure it with Spring.
You could also create a Scripted attribute definition and use a scripting
language to access the Java Subject via the API and do something that way.
-- Scott
More information about the users
mailing list