replace cas:user

Question

replace cas:user

Closed this issue 3 years ago · 5 comments

Hello,

I am facing a problem with this plugin.

Actually, on my cas server i use the principal-attribute configuration to send a particular attribute (uid) as username (cas:user) to my apps. My users connect thereself with sAMAccountName attribute.

Now with keycloak, I have this ldap configuration

My users connect thereself with sAMAccountName attribute but like cas Server i want to send to my clients that cas:user is uid attribute not sAMAccountName. I think mappers only write cas:attributes.
Is there one way to do it ?

I can give more informations if needed.
Thanks for your work

Answer 1 · 2021-08-18T09:00:24.000Z

As Keycloak's "username" attribute is the only one that is guaranteed to be present and uniquely identify the user - it is used in the user parameter of CAS response and it is not customizable.

As I understand you have a setup similar to this:

sAMAccountName: John.Smith
uid: jsmith

and CAS apps are using the latter identifier.

In order to achieve requested behavior, you would need to change the line indicated below in file src/main/java/org/keycloak/protocol/cas/endpoints/ServiceValidateEndpoint.java:

        CASServiceResponse serviceResponse = ServiceResponseHelper.createSuccess(userSession.getUser().getUsername(), attributes);

replacing getUsername() with getAttribute("attribute_name").get(0) (and some fallback if there is no attribute, unless you are OK with "500 Internal Server Error").

Unfortunately I am reluctant to make it customizable here.

Answer 2 · 2021-08-19T07:22:29.000Z

Hello,

I understand the guarantee of uniqueness and my attribute 'uid' is unique for each user.
It give me an other possibility to implement my need.
Thank you for your response

Answer 3 · 2024-04-04T09:08:57.000Z

Hi,
I'm sorry to reopen it, it seems the UserModel have change so the workaround you provide me didn't work anymore.
I would appreciate if you can give me the same workaround updated.

I have try to do it on my own for few hours but the developping skills don't appear by magic :D
Thank you

Answer 4 · 2024-04-04T11:08:39.000Z

@Ekouyoja: the change would be very minor - from getAttribute(...).get(0) to getFirstAttribute(...)

Answer 5 · 2024-04-09T07:49:20.000Z

Sorry i didn't take the time to give you a response.
Thank you :)