CAS Server
  1. CAS Server
  2. CAS-973

Remember me support through SAML validation

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.9
    • Component/s: None
    • Labels:
      None

      Description

      I think remember me is a must-have feature so it would be great if SAML validation could notify the client application that the user is in remember mode (configured like this : https://wiki.jasig.org/display/CASUM/Remember+Me).

      For service ticket validation through SAML (/samlValidate), I would change the Saml10SuccessResponseView class :

      • add a constant :

      private static final String REMEMBERME_ATTRIBUTE_NAME = "isRemembered";

      • change the way of calculating SAML attributes :

      // remember me
      boolean isRemembered = (authentication.getAttributes()
      .get(RememberMeCredentials.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME) == Boolean.TRUE && !assertion
      .isFromNewLogin());

      if (!authentication.getPrincipal().getAttributes().isEmpty() || isRemembered) {
      final SAMLAttributeStatement attributeStatement = new SAMLAttributeStatement();

      attributeStatement.setSubject(getSamlSubject(authentication));
      samlAssertion.addStatement(attributeStatement);

      for (final Entry<String, Object> e : authentication.getPrincipal().getAttributes().entrySet()) {
      final SAMLAttribute attribute = new SAMLAttribute();
      attribute.setName(e.getKey());
      attribute.setNamespace(NAMESPACE);

      if (e.getValue() instanceof Collection<?>) {
      final Collection<?> c = (Collection<?>) e.getValue();
      if (c.isEmpty())

      { // 100323 bnoordhuis: don't add the attribute, it causes a org.opensaml.MalformedException continue; }


      attribute.setValues(c);
      } else

      { attribute.addValue(e.getValue()); }

      attributeStatement.addAttribute(attribute);
      }

      // remember me
      if (isRemembered)

      { final SAMLAttribute attribute = new SAMLAttribute(); attribute.setName(REMEMBERME_ATTRIBUTE_NAME); attribute.setNamespace(NAMESPACE); attribute.addValue(true); attributeStatement.addAttribute(attribute); }


      }

        Issue Links

          Activity

          Hide
          Robert Oschwald added a comment -

          Vielen Dank für Ihre Nachricht.
          Ich bin ab 11. Juli 2011 wieder erreichbar.
          Ihre Nachricht wird nicht weitergeleitet.
          In dringenden Fällen erreichen Sie unser Büro unter:
          Tel.: +49 (0)89/628 339-60
          Email: info@symentis.com

          Thank you very much for your message.
          I will be back in the office on JUL/11/2011
          This message will not be forwarded.
          In urgent cases you can reach our office via:
          phone : +49 (0)89/628 339-60
          email: info@symentis.com

          Show
          Robert Oschwald added a comment - Vielen Dank für Ihre Nachricht. Ich bin ab 11. Juli 2011 wieder erreichbar. Ihre Nachricht wird nicht weitergeleitet. In dringenden Fällen erreichen Sie unser Büro unter: Tel.: +49 (0)89/628 339-60 Email: info@symentis.com Thank you very much for your message. I will be back in the office on JUL/11/2011 This message will not be forwarded. In urgent cases you can reach our office via: phone : +49 (0)89/628 339-60 email: info@symentis.com
          Hide
          Marvin S. Addison added a comment -

          Using an invariant attribute name is asking for trouble. While the default is perfectly sensible, it should be customizable somewhere, although arguably not in the view. Perhaps we can consider that for a future improvement and continue with the existing implementation. I bet, though, that it's only a matter of time before someone shows up and asks why their isRemembered attribute is getting overridden or why there are dupes.

          Show
          Marvin S. Addison added a comment - Using an invariant attribute name is asking for trouble. While the default is perfectly sensible, it should be customizable somewhere, although arguably not in the view. Perhaps we can consider that for a future improvement and continue with the existing implementation. I bet, though, that it's only a matter of time before someone shows up and asks why their isRemembered attribute is getting overridden or why there are dupes.
          Hide
          Marvin S. Addison added a comment -

          I see that Scott actually changed this in the committed patch:

          private static final String REMEMBER_ME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed";
          

          I think that dramatically reduces the likelihood of an attribute name collision, but I still believe my comment about configurability is relevant.

          Show
          Marvin S. Addison added a comment - I see that Scott actually changed this in the committed patch: private static final String REMEMBER_ME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed" ; I think that dramatically reduces the likelihood of an attribute name collision, but I still believe my comment about configurability is relevant.

            People

            • Assignee:
              Scott Battaglia
              Reporter:
              Jérôme Leleu
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: