Hopefully these notes will evolve into a more formal tutorial.
This example assumes user roles are stored in a database like so:
mysql> select * from VW_USER_ROLES; +----+-----------+---------------+ | ID | LOGINNAME | ROLENAME | +----+-----------+---------------+ | 1 | me | DEBUG | | 1 | me | Super User | +----+-----------+---------------+
Currently only works with SAML 1.1
- Client Mods
-
- dependencies
<dependency> <groupId>org.apache.santuario</groupId> <artifactId>xmlsec</artifactId> <version>1.4.5</version> </dependency> <dependency> <groupId>org.opensaml</groupId> <artifactId>opensaml</artifactId> <version>1.1b</version> </dependency>
- org.jasig.cas.client.authentication.Saml11AuthenticationFilter
- org.jasig.cas.client.validation.Saml11TicketValidationFilter
- org.jasig.cas.client.util.HttpServletRequestWrapperFilter
<param-name>roleAttribute</param-name> <param-value>USER_ROLE</param-value>
- dependencies
- Server Mods
<bean id="multiRowJdbcPersonAttributeDao" class="org.jasig.services.persondir.support.jdbc.MultiRowJdbcPersonAttributeDao"> <constructor-arg index="0" ref="dataSource" /> <constructor-arg index="1" value="select LOGINNAME, 'USER_ROLE' as attr_name, ROLENAME FROM VW_USER_ROLES WHERE {0}" /> <property name="nameValueColumnMappings"> <map> <entry key="attr_name" value="ROLENAME" /> </map> </property> <property name="queryAttributeMapping"> <map> <entry key="username" value="LOGINNAME" /> </map> </property> </bean>
- Runtime changes
- in Services Management i.e. /cas/services/manage.html Edit service to 'Ignore Attribute Management via this Tool'