Attribute Resolution
Attribute resolution strategies are controlled by the Person Directory project. The Person Directory dependency is automatically bundled with the CAS server. Therefore, declaring an additional dependency will not be required. This Person Directory project supports both LDAP and JDBC attribute resolution, caching, attribute aggregation from multiple attribute sources, etc.
By default, attributes are cached to the length of the SSO session. This means that while the underlying component provided by Person Directory may have a different caching model, attributes by default and from a CAS perspective will not be refreshed and retrieved again on subsequent requests as long as the SSO session exists.
Actuator Endpoints
The following endpoints are provided by CAS:
Person Directory
A framework for resolving persons and attributes from a variety of underlying sources. It consists of a collection of components that retrieve, cache, resolve, aggregate, merge person attributes from JDBC, LDAP and more.
The following settings and properties are available from the CAS configuration catalog:
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be
recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system
property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled
via Configuration Metadata and property migrations applied automatically on
startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
Attribute sources are defined and configured to describe the global set of attributes to be fetched for each authenticated principal. That global set of attributes is then filtered by the service manager according to service-specific attribute release rules.
Note that each attribute repository source can be assigned a unique identifier to be used for additional filtering. The attribute resolution engine provided by Person Directory can also be configured to only consult not all but a selection of attribute repository sources, deferring the task of attribute retrieval for later phases in the authentication process, such as releasing attributes.
Note that in most if not all cases, CAS authentication is able to retrieve and resolve attributes from the authentication source, which would eliminate the need for configuring a separate resolver specially if both the authentication and the attribute source are the same. Using separate resolvers should only be required when sources are different, or when there is a need to tackle more advanced attribute resolution use cases such as cascading, merging, etc. See this guide for more info.
The goal of the resolver is to construct a final identifiable authenticated principal for CAS which carries a number of attributes inside it. The behavior of the person-directory resolver is such that it attempts to locate the principal id, which in most cases is the same thing as the credential id provided during authentication or it could be noted by a custom attribute. Then the resolver starts to construct attributes from attribute repositories defined. If it realizes that a custom attribute is used to determine the principal id AND the same attribute is also set to be collected into the final set of attributes, it will then remove that attribute from the final collection.
Note that by default, CAS auto-creates attribute repository sources that are appropriate for LDAP, JDBC, etc. If you need something more, you will need to resort to more elaborate measures of defining the bean configuration.
More about the Person Directory and its configurable sources can be found here.
Overview
Control the set of authentication attributes that are retrieved by the principal resolution process, from attribute sources unless noted otherwise by the specific authentication scheme.
If multiple attribute repository sources are defined, they are added into a list and their results are cached and merged.
The following settings and properties are available from the CAS configuration catalog:
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be
recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system
property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled
via Configuration Metadata and property migrations applied automatically on
startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
Note that in certain cases, CAS authentication is able to retrieve and resolve attributes from the authentication source in the same authentication request, which would eliminate the need for configuring a separate attribute repository specially if both the authentication and the attribute source are the same. Using separate repositories should be required when sources are different, or when there is a need to tackle more advanced attribute resolution use cases such as cascading, merging, etc.
Attributes for all sources are defined in their own individual block. CAS does not care about the source owner of attributes. It finds them where they can be found and otherwise, it moves on. This means that certain number of attributes can be resolved via one source and the remaining attributes may be resolved via another. If there are commonalities across sources, the merger shall decide the final result and behavior.
Note that attribute repository sources, if/when defined, execute in a specific order. This is important to take into account when attribute merging may take place.
Note that if no explicit attribute mappings are defined, all permitted attributes on the record may be retrieved by CAS from the attribute repository source and made available to the principal. On the other hand, if explicit attribute mappings are defined, then only mapped attributes are retrieved.
The following merging strategies can be used to resolve conflicts when the same attribute are found from multiple sources:
| Type | Description |
|---|---|
REPLACE |
Overwrites existing attribute values, if any. |
ADD |
Retains existing attribute values if any, and ignores values from subsequent sources in the resolution chain. |
MULTIVALUED |
Combines all values into a single attribute, essentially creating a multi-valued attribute. |
NONE |
Do not merge attributes, only use attributes retrieved during authentication. |
The following aggregation strategies can be used to resolve and merge attributes when multiple attribute repository sources are defined to fetch data:
| Type | Description |
|---|---|
MERGE |
Default. Query multiple repositories in order and merge the results into a single result set. |
CASCADE |
Same as above; results from each query are passed down to the next attribute repository source. If the first repository queried has no results, no further attribute repositories will be queried. |
Sources
The following options may be used to fetch attributes in CAS.
| Source | Reference |
|---|---|
| Stub | See this guide. |
| LDAP | See this guide. |
| Groovy | See this guide. |
| REST | See this guide. |
| Grouper | See this guide. |
| Couchbase | See this guide. |
| Redis | See this guide. |
| JDBC | See this guide. |
| OKTA | See this guide. |
| Custom | See this guide. |
| Python/Javascript/Groovy | See this guide. |
| Microsoft Azure Active Directory | See this guide. |