Discussion:
Using CAS Attributes
Sacilowski, Tadeusz
2014-08-15 17:05:57 UTC
Permalink
Hello,

I'm currently implementing Shibboleth at our institution using the Unicon
Shib-CAS authentication plugin (https://github.com/Unicon/shib-cas-authn2)
to defer authentication to our existing CAS deployment. Currently, our CAS
also retrieves attributes from LDAP.

I was wondering how to get the attributes that have already been retrieved
by CAS over to Shib for release? I know I can just set up an LDAP data
connector with the appropriate attribute definitions on the Shib side, but
then we have 2 LDAP lookups for the same principal... one on the CAS side
and one on the Shib side. I'm sure there's not too much of a performance
hit using this method, but out of curiosity, I'd like to see if there's a
way to avoid this.

Some previous searches let me to the general idea of storing
assertion.getAttributes() in the LoginHandler.SUBJECT_KEY in the
AuthenticatedNameTranslator class. I also need to create a Data Connector
to pull these attributes back out, but this is where I'm getting lost.

Any suggestions? Am I on the right track here? I'm still very new to
Shibboleth so pardon any ignorance.

Thank you!
--
*Tadeusz Sacilowski*
*Manager, Portal & Mobile Development*
Teachers College, Columbia University
sacilowski-deiph+***@public.gmane.org
Cantor, Scott
2014-08-15 19:52:25 UTC
Permalink
Post by Sacilowski, Tadeusz
I was wondering how to get the attributes that have already been
retrieved by CAS over to Shib for release? I know I can just set up an
LDAP data connector with the appropriate attribute definitions on the
Shib side, but then we have 2 LDAP lookups for the same principal... one
on the CAS side and one on the Shib side. I'm sure there's not too much
of a performance hit using this method, but out of curiosity, I'd like to
see if there's a way to avoid this.
My guess is you'll conclude it's not worth it, but...
Post by Sacilowski, Tadeusz
Some previous searches let me to the general idea of storing
assertion.getAttributes() in the LoginHandler.SUBJECT_KEY in the
AuthenticatedNameTranslator class.
I'm not sure I follow that, but the SUBJECT_KEY represents a Java Subject,
and you can attach custom Principal and credential objects to that. You
would need a login handler that knew how to do that, however.
Post by Sacilowski, Tadeusz
I also need to create a Data Connector to pull these attributes back
out, but this is where
I'm getting lost.
Well, the attribute resolver has access to the underlying Java Subject, I
think, so anything stored in it would be accessible, and a plugin could be
written to access that. Writing a data connector means writing a Java
plugin, designing an XML schema, and code to configure it with Spring.

You could also create a Scripted attribute definition and use a scripting
language to access the Java Subject via the API and do something that way.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...