Setting up IdP3 to release set of attributes only to CAS users

Marvin Addison marvin.addison at
Thu Aug 13 15:57:38 EDT 2015

> We’re setting up IdP3 and want to release a set of attributes to only
> users that login via CAS. Has anyone done this?

Yes. Scott mentioned in another reply that SAML metadata support is
intended for the future, but there's a simple CAS-specific metadata
facility called "ServiceRegistry" that allows you to create regular
expressions for CAS services and assign them to a metadata group. Following
is an example from our institution in conf/cas-protocol.xml:

    <bean id="cas.serviceRegistry"
        <property name="definitions">
                      p:authorizedToProxy="false" />

This puts all https services in our institutional domain in a metadata
group identified by the URN "" Then you can do a
group-based metadata filter in attribute-filter.xml:

  <!-- Hokies release policy -->
  <AttributeFilterPolicy id="releaseToHokies">
    <PolicyRequirementRule xsi:type="saml:InEntityGroup"
    <AttributeRule attributeID="uid">
      <PermitValueRule xsi:type="basic:ANY" />

Please let me know if you have further questions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list