-
Notifications
You must be signed in to change notification settings - Fork 15
CAS Attributes
After successfully validating a service ticket, the username will be available through the callback function of either validate() or authenticate(). In addition, some CAS servers may also provide extended attributes associated with the user. Common possibilities are email addresses and group memberships.
The validate/authenticate call is asynchronous. Upon completion, the callback function will be invoked as follows. We are only concerned about the extended.attributes property at this point:
/**
* @param {Error} err
* Undefined if no error.
* @param {Boolean} status
* TRUE if user was successfully authenticated.
* @param {String} username
* The login username used to authenticate with CAS.
* @param {Object} extended
* A JSON object containing further information about the user.
* {
* "username": {String} The username as described above,
* "ticket": {String} The service ticket ("ST-....") used by the user,
* "attributes": {Object} An object of arrays--
* {
* "attribute1": [ value1, value2, ... ],
* "attribute2": [ ... ],
* ...
* },
* "PGTIOU": {String} IOU for the proxy granting ticket,
* "proxies": {Array} An array of hosts that are proxying the connection
* }
*/
function(err, status, username, extended) { ... }
Each attribute can have one or more values, and they need not be distinct. The attribute names are case insensitive.
Depending on the CAS server, the attributes may be provided in one of three XML formats. All of them are supported. You may safely skip this section.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>jsmith</cas:user>
<cas:attributes>
<cas:attraStyle>RubyCAS</cas:attraStyle>
<cas:surname>Smith</cas:surname>
<cas:givenName>John</cas:givenName>
<cas:memberOf>CN=Staff,OU=Groups,DC=example,DC=edu</cas:memberOf>
<cas:memberOf>CN=Spanish Department,OU=Departments,...</cas:memberOf>
</cas:attributes>
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d2...</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>jsmith</cas:user>
<cas:attraStyle>RubyCAS</cas:attraStyle>
<cas:surname>Smith</cas:surname>
<cas:givenName>John</cas:givenName>
<cas:memberOf>CN=Staff,OU=Groups,DC=example,DC=edu</cas:memberOf>
<cas:memberOf>CN=Spanish Department,OU=Departments,...</cas:memberOf>
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d2...</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>jsmith</cas:user>
<cas:attribute name='attraStyle' value='Name-Value' />
<cas:attribute name='surname' value='Smith' />
<cas:attribute name='givenName' value='John' />
<cas:attribute name='memberOf' value='CN=Staff,OU=Groups,DC=example,DC=edu' />
<cas:attribute name='memberOf' value='CN=Spanish Department,OU=Departments,...' />
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d2sfa23casd</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse>