missing attributes in output from idpv3 /cas/serviceValidate

Paul B. Henson henson at cpp.edu
Wed Apr 6 17:22:22 EDT 2016 

On Wed, Apr 06, 2016 at 08:12:29PM +0000, Cantor, Scott wrote:

> I looked at the flow defintion, and it seems quite clear that
> samlValidate resolves attributes and serviceValidate doesn't. Also,
> there are no actions to generate any kind of SAML response. If the
> attributes are supposed to be in SAML form, no, the serviceValidate
> flow doesn't do that at the moment.

They're not supposed to be in SAML form, they're supposed to look like
this (as returned by my current CAS server):

$ curl -X POST -d service=https://login.proxy-dev.library.cpp.edu/login -d ticket=ST-580514-uqTugcVvDkpMwpcxKaEf-prometheus 'https://auth.cpp.edu/cas/serviceValidate'                                                      
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
        <cas:authenticationSuccess>
                <cas:user>henson</cas:user>
                <cas:attributes>
                    <cas:cppEduPersonAffiliation>eoc_essential</cas:cppEduPersonAffiliation>
                    <cas:cppEduPersonAffiliation>employee</cas:cppEduPersonAffiliation>
                    <cas:cppEduPersonAffiliation>member</cas:cppEduPersonAffiliation>
                    <cas:cppEduPersonAffiliation>staff</cas:cppEduPersonAffiliation>
                </cas:attributes>
        </cas:authenticationSuccess>
</cas:serviceResponse>

The XML generated by the serviceValidate endpoint is supposed to include
a cas:attributes section if there are any attributes released. While
the CAS 2.0 protocol serviceValidate specification did not originally
include attribute support, it was unofficially extended to do so and
that support was officially codified in the 3.0 version of the protocol.

Ah, here we go, from the wiki:

https://wiki.shibboleth.net/confluence/display/IDP30/CasProtocolConfiguration

"The XML response delivered by the /serviceValidate URI includes the <cas:attributes> extension supported by most CAS clients"

I knew I saw that somewhere when I was initially looking at the idp CAS
support. So per the documentation there should be attributes in the response
but there aren't. I'm pretty sure I've got the release policy set up right
given the attributes are being returned by the saml endpoint? Was there
perhaps a regression in the 3.2.1 release?

Thanks...

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list