Attribute Release Policy - REST
Only return the principal attributes that are explicitly allowed by contacting a REST endpoint. Endpoints must be designed to
accept/process application/json
and must be able to respond to a GET
request. The expected response status code is 200
where the body of
the response includes a Map
of attributes linked to their values.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "sample",
"name" : "sample",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnRestfulAttributeReleasePolicy",
"endpoint" : "https://somewhere.example.org",
"headers": {
"@class": "java.util.LinkedHashMap",
"header": "value"
}
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "commonName"
}
}
}
The following parameters are passed to the endpoint:
Parameter | Description |
---|---|
principal |
The object representing the authenticated principal. |
service |
The object representing the corresponding service definition in the registry. |
The body of the submitted request may also include a Map
of currently resolved attributes.
The allowedAttributes
field is an optional attribute that allows the policy to remap attributes virtually.
If the attribute is undefined or empty, all received attributes will be considered authorized for release on
an as-is basis. If attribute mapping rules are defined, received attributes are filtered through the mapping rules
and the results would be allowed for release.
The range of supported mapping rules and options are the same as those supported by the Return Mapped policy in its various forms.
For example, the above configuration will accept a cn
attribute from the external REST endpoint and will virtually rename
that attribute into commonName
instead.