-
Notifications
You must be signed in to change notification settings - Fork 269
Extra user attributes
Normally when a user logs in, the only information made available to CAS clients about the user is their authenticated username. But what if you want additional information like the user's full name or group membership?
As of version 0.7.0, the CAS server is able to send back this extra information in authentication responses. As of version 1.1.1 [see code] the extra information is sent back wrapped in a <cas:attributes> XML tag per the CAS spec.
Example Response Shape:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>John Doe</cas:user>
<!-- ... -->
<cas:attributes>
<cas:authenticationDate>2015-11-12T09:30:10Z</cas:authenticationDate>
<cas:longTermAuthenticationRequestTokenUsed>true</cas:longTermAuthenticationRequestTokenUsed>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:myAttribute>myValue</cas:myAttribute>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>RubyCAS-Server is only able to send user attributes accessible to the underlying authentication back end. For example, if you're using a SQL-based authenticator, additional columns from your users table can be returned. Similarly, if you're using an LDAP-based authenticator, additional fields from the retrieved LDAP entry are available.
For the SQL and LDAP authenticators, configuring this is easy (this is also true for derived authenticators like SQLEncrypted and ActiveDirectoryLDAP):
In your config.yml:
authenticator:
class: CASServer::Authenticators::SQL
database:
adapter: mysql
database: some_database_with_users_table
user_table: users
username_column: username
password_column: password
extra_attributes: full_name, access_levelNotice the extra_attributes option. This specifies the additional table columns to return in the CAS response.
authenticator:
class: CASServer::Authenticators::ActiveDirectoryLDAP
ldap:
host: ad.example.net
port: 636
base: dc=example,dc=net
filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
auth_user: authenticator
auth_password: itsasecret
encryption: simple_tls
extra_attributes: cn, mail
Notice the extra_attributes option. This specifies the additional entry fields to return in the CAS response.
To see how the extra_attributes data is populated in authenticators code, see the (SQL authenticator)[https://github.com/rubycas/rubycas-server/blob/master/lib/casserver/authenticators/sql.rb] source. The basic idea is to fill the @extra_attributes instance variable within your validate() call. The server will then automatically serialize this data and pass it on in its validation response to the CAS client.
See: