Skip to content

Extra user attributes

Joshua Weaver edited this page Jun 8, 2018 · 3 revisions

Normally when a user logs in, the only information made available to CAS clients about the user is their authenticated username. But what if you want additional information like the user's full name or group membership?

As of version 0.7.0, the CAS server is able to send back this extra information in authentication responses. As of version 1.1.1 [see code] the extra information is sent back wrapped in a <cas:attributes> XML tag per the CAS spec.

Example Response Shape:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
    <cas:authenticationSuccess>
        <cas:user>John Doe</cas:user> 
        <!-- ... -->
        <cas:attributes>
            <cas:authenticationDate>2015-11-12T09:30:10Z</cas:authenticationDate>
            <cas:longTermAuthenticationRequestTokenUsed>true</cas:longTermAuthenticationRequestTokenUsed>
            <cas:isFromNewLogin>true</cas:isFromNewLogin>
            <cas:myAttribute>myValue</cas:myAttribute>
        </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>

Configuring RubyCAS-Server to send back extra user attributes

RubyCAS-Server is only able to send user attributes accessible to the underlying authentication back end. For example, if you're using a SQL-based authenticator, additional columns from your users table can be returned. Similarly, if you're using an LDAP-based authenticator, additional fields from the retrieved LDAP entry are available.

For the SQL and LDAP authenticators, configuring this is easy (this is also true for derived authenticators like SQLEncrypted and ActiveDirectoryLDAP):

SQL

In your config.yml:

authenticator:
  class: CASServer::Authenticators::SQL
  database:
    adapter: mysql
    database: some_database_with_users_table
  user_table: users
  username_column: username
  password_column: password
  extra_attributes: full_name, access_level

Notice the extra_attributes option. This specifies the additional table columns to return in the CAS response.

LDAP

authenticator:
  class: CASServer::Authenticators::ActiveDirectoryLDAP
  ldap:
    host: ad.example.net
    port: 636
    base: dc=example,dc=net
    filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
    auth_user: authenticator
    auth_password: itsasecret
    encryption: simple_tls
  extra_attributes: cn, mail

Notice the extra_attributes option. This specifies the additional entry fields to return in the CAS response.

Other Authenticators

To see how the extra_attributes data is populated in authenticators code, see the (SQL authenticator)[https://github.com/rubycas/rubycas-server/blob/master/lib/casserver/authenticators/sql.rb] source. The basic idea is to fill the @extra_attributes instance variable within your validate() call. The server will then automatically serialize this data and pass it on in its validation response to the CAS client.

Further Information

See: