...
Eg. a user logs into AD as "jdoe" or "jdoe@ad.yourschool.edu", but said user has the email address "john.doe@yourschool.edu" (hosted at GMail), and this . This value is set in the AD object "mail" attribute. (Note that you can use any LDAP attribute, as long as you map this LDAP attribute to the CAS Principal attribute called "EmailAddress"; see below.)
PrerequisitesPrerequisites:
- functioning CAS 3.3 setup, with localization via the Maven overlay method, see Maintaining + local + customizations + using + Maven + 2
- MS-AD authentication is function, see Active +DirectoryDirectory (or really any backend where you can get additional attributes into the CAS princical; see following bullet)
- You can get LDAP attributes from AD (or any LDAP) into the CAS Princical (ie. the CAS user object )
You will need to map the AD "mail" attribute (or any other LDAP attribute you wish to use) to the CAS princical "EmailAddress" attribute, eg. in the mapping section of the Attributes article, use:
See See Attributes for more. You can offcourse use any data backend, as long as you can get attributes into the CAS principal.Code Block xml xml <map> <entry key="mail" value="EmailAddress" /> </map>
In CAS 3.3.5 and later, you can configure an 'alternateUsername' to be send to Google in the SAML reply. This alternameUsername can be mapped in XML to any CAS principal attribute you have added.
Let's assume you have added the attribute "EmailAddress" to your CAS user principal, as outlined above (ie. the value of the attribute comes from the LDAP "mail" field). To send the value of this attribute to Google as the username, instead of the user id, modify the Google Argument Extractor bean in src/main/webapp/WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml
with this
<bean
name="googleAccountsArgumentExtractor"
class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
p:privateKey-ref="privateKeyFactoryBean"
p:publicKey-ref="publicKeyFactoryBean"
p:alternateUsername="EmailAddress" />
That's all! Now rebuild your localized package with maven, and deploy it!
Rebuild your overlay:
Rebuild your overlay with maven; this should not produce any errors:
| No Format |
|---|
cd cas-server-local
mvn package
|
Finally, if all looks well, configure your Google Apps domain to use your CAS setup for authentication. See SAML 2.0 (Google Accounts Integration) (You will need to rebuild your package after your make these final modifications.)
If all looks good, deploy the target/cas.war file.
OLD - Historic - Modifications:
Below are no longer needed as of CAS 3.3.5
If you are running an older version, you should upgrade!
In your Maven customization folder, here called cas-server-local/, create the following directory structure (if it doesn't already exist.)
...
Now apply the following patch or diffs to this java bean file in your customization folder (here: cas-server-local/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java):
(this patch is also attached to this page.)
| Code Block | ||||
|---|---|---|---|---|
| ||||
--- cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java 2009-03-18 08:27:22.000000000 -0700
+++ cas-server-local/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java 2009-03-18 08:25:53.000000000 -0700
@@ -25,6 +25,9 @@
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
/**
* Implementation of a Service that supports Google Accounts (eventually a more
* generic SAML2 support will come).
@@ -160,8 +163,36 @@
c.setTime(new Date());
c.add(Calendar.YEAR, 1);
- samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
- .getId());
+ /**
+ * samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
+ * .getId());
+ */
+ /**
+ * Modify Google return to pass in EmailAddress attribute, if exists.
+ *
+ */
+ String username = getPrincipal().getId();
+ Map<String, Object> attributes = getPrincipal().getAttributes();
+
+ /** Log instance for logging events, info, warnings, errors, etc. */
+ final Log log = LogFactory.getLog(this.getClass());
+
+ if (log.isInfoEnabled()) {
+ log.info("User [" + getPrincipal().getId() + "] has " + attributes.size() + " principal attributes");
+ }
+
+ /**
+ * try to find the attribute mapped in the CredentialsToLDAPAttributePrincipalResolver
+ * configuration in deployerConfigContext.xml
+ */
+ if(attributes.containsKey("EmailAddress")) {
+ username = (String)attributes.get("EmailAddress");
+ if (log.isInfoEnabled()) {
+ log.info("User [" + getPrincipal().getId() + "]: using EmailID [" + username + "]");
+ }
+ }
+ samlResponse = samlResponse.replace("<USERNAME_STRING>",username);
+
samlResponse = samlResponse.replace("<RESPONSE_ID>", createID());
samlResponse = samlResponse.replace("<ISSUE_INSTANT>", SamlUtils
.getCurrentDateAndTime());
|
Rebuild your overlay:
See abobe.
Rebuild your overlay with maven; this should not produce any errors:
| No Format |
|---|
cd cas-server-local
mvn install package
|
If all looks good, deploy the target/cas.war file.
Finally, if all looks well, configure your Google Apps domain to use your CAS setup for authentication. See SAML + 2.0 +%28Google+Accounts+Integration%29(Google Accounts Integration) (You will need to rebuild your package after your make these final modifications.)
If all looks good, deploy the target/cas.war file.
Logging:
Every time Google Apps calls CAS, there will be some new INFO level messages in the tomcat log file , typically <tomcat>/logs/catalina.out to show you what is happening. The first line shows you how many (if any) attributes are attached to the CAS principal. This will show you if your attribute mapping is working. The second line show shows what user email-id is actually sent to Google for the current CAS principal.
...