CAS and Shibboleth Integration releasing Principal Name (Username) as an attribute in SAML

3
votes

I feel like I've searched high and low for what should be a simple configuration: and come up empty.

I'm completely new to Shibboleth, although I've worked with CAS a little bit, nothing too intense. I have it set up (following the guide at: https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration) so that Shibboleth redirects to CAS for authentication. This works fine, and once the user is authenticated, they get redirected through Shibboleth, and the SAML response gets sent out. I'm testing using https://sp.testshib.org and it's properly receiving the response and displaying the page.

What I can't seem to figure out is how to release just a simple attribute with the username used to log into CAS. I know Shibboleth sees it (from the idp-process.log), but I can't figure out what to put in the attribute-resolver.xml and attribute-filter.xml to release this.

The current SAML response looks like this:

<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_da56752846e00c2693ece2c486d7c870" IssueInstant="2012-11-16T14:08:07.570Z" Version="2.0">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://<idpurl>/idp/shibboleth</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_da56752846e00c2693ece2c486d7c870">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>7OHKEiEQ0ZcPDcnt4B8PIGoLEfw=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>S3FZI+KpNf8wUYWMA96ccAj0Y5ebojB1xKHlixHWNEr4voqHOGSpBzxdui0IVtUwLEzj4RrDFdYarJaZj6ltzFV4hfNx5bN88zYQG6w9BBP9UybG+81Wrhii2O31AmRz2Y6XIqa72CeN2R4DKo70awn6FXIPLAcEKs+7dAG2lQ87VS3Wv126DghE/eGcMLW6+z9a3MxXtUFSmWYosaIbNREJn4mGO/uGzD27eeo6SNmvBx/BgVh7T2cOIbtD8b9OOZT8Urt0kZ2nsoCZHgp1T0V6ZgnE2TDvPTInrxzC5c4S+YOYZlB0ijMI6pk+PpJGshe7MVUcEO34Nn0I3i0OUw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate><!--Valid Certificate--></ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://<idpurl>/idp/shibboleth" SPNameQualifier="https://sp.testshib.org/shibboleth-sp">_4b1a2780b2ce3db36ea7e7f6192b7108</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="<valid ip address>" InResponseTo="_aa4e23dd783eddb1be18ad224c26e7cf" NotOnOrAfter="2012-11-16T14:13:07.570Z" Recipient="https://sp.testshib.org/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2012-11-16T14:08:07.570Z" NotOnOrAfter="2012-11-16T14:13:07.570Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2012-11-16T14:08:07.554Z" SessionIndex="00568a153d3cccf9c17abf2c77a043ed8b74a74fe5e2c61000590269aa87f99a">
      <saml2:SubjectLocality Address="<valid ip address>"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>

I just need an example of how to get this set up. I've read all the documentation on wiki.shibboleth.net and still can't seem to get it.

Thank you so much in advance for your help, I know it's just a configuration thing, but it's making my brain feel dumb, and I haven't even tried integrating with something more intense than TestShib!

EDIT: I found this set up guide which partially helps, I was able to pass out the name as an attribute by searching against the active directory, but this isn't a proper long term solution, since CAS can check more than one user repository, and it's not necessarily the same one that this will check to get it. I just want to release ${requestContext.principalName} as an attribute.

Any better ideas? Maybe a static connector, but i'm not sure how to get it to resolve the ${requestContext.principalName}?

1
attributessamlcassaml-2.0shibboleth
Do you want to release the username in NameID tag or in an attribute? - performanceuser
As an attribute preferably, there are multiple SP's that will eventually need to be served by this IDP system, and I don't have the response format for each of them yet (still in researching phase to see if this is the route we will go), so if they accept SAML 2.0, then the attribute would probably be easiest to accommodate. - CDerrig

1 Answers

4
votes

In the end I was able to figure it out. Posting the solution here for anyone else that ever comes across this and gets lost in the swamp of details that should be simple.

In the attribute-resolver.xml file for Shibboleth, I had to add the following resolver:

<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">

    <resolver:AttributeEncoder
        xsi:type="SAML1String"
        xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:mace:dir:attribute-def:principal" />

    <resolver:AttributeEncoder
        xsi:type="SAML2String"
        xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
        friendlyName="principal" />

</resolver:AttributeDefinition>

In the attribute-filter.xml i needed to add the following filter:

    <AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
        <PolicyRequirementRule xsi:type="basic:ANY"/>
        <AttributeRule attributeID="principal">
                <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

Change your Policy Requirement Rule if you don't want to release the principal to every SP.

It's amazing that something this simple doesn't seem to be documented clearly anywhere. I looked through the shibboleth documents for way longer than this should have taken, and finally found the clue in a google groups post someone had made about wanting to change the value of PrincipalName.

I hope this helps someone else!