Attribute Release Policy - REST
Only return the principal attributes that are explicitly allowed by contacting a REST endpoint. Endpoints must be designed to
accept/process application/json and must be able to respond to a GET request. The expected response status code is 200 where the body of
the response includes a Map of attributes linked to their values.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "sample",
"name" : "sample",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnRestfulAttributeReleasePolicy",
"endpoint" : "https://somewhere.example.org",
"headers": {
"@class": "java.util.LinkedHashMap",
"header": "value"
}
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"cn" : "commonName"
}
}
}
The following parameters are passed to the endpoint:
| Parameter | Description |
|---|---|
principal |
The object representing the authenticated principal. |
service |
The object representing the corresponding service definition in the registry. |
The body of the submitted request may also include a Map of currently resolved attributes.
The allowedAttributes field is an optional attribute that allows the policy to remap attributes virtually.
If the attribute is undefined or empty, all received attributes will be considered authorized for release on
an as-is basis. If attribute mapping rules are defined, received attributes are filtered through the mapping rules
and the results would be allowed for release.
The range of supported mapping rules and options are the same as those supported by the Return Mapped policy in its various forms.
For example, the above configuration will accept a cn attribute from the external REST endpoint and will virtually rename
that attribute into commonName instead.